 Hi there, welcome to this CNCF webinar. I'm really delighted to talk to you today about open-source security. This is Charmed Kubernetes and Cubescape for the best in class of Kubernetes security. And I hope over the next 25 to 30 minutes we can talk you through some of the landscape around security, some of the challenges that you face in Kubernetes especially, and some of the solutions. And really bring to light why we think that Cubescape and Charmed Kubernetes are really good partners in helping you with your open-source security needs. But before we get there, let me just introduce who we are. My name is Alex. I am the director of Kubernetes at Canonical, Canonical being the company behind Ubuntu, which might sound familiar. And I'm gonna try and talk to you a little bit today about my experiences as both the engineering and the product leader in that space and why something like Cubescape is so important to us. Hello, everyone. My name is, thank you, Alex. My name is David Wharton-Tile. I am a lead maintainer of Cubescape. I work in a team lead at Armo. So as you can understand, I am one of the developers of Cubescape. With us over here, there's also Vlad, who is also a colleague of mine from Armo, and also a lead maintainer of Cubescape. Thank you so much. So let's get straight into it. Security for Kubernetes is overwhelming because of a few reasons. People are learning a new topology. It's on top of Linux. And also it really is distributed Linux, right? And so a lot of these concepts that people don't really brush up on for five, 10 years after school, come back to Hauntland when they're thinking about a container, a pod, a namespace, root privileges. What does all this really mean? And so some of the challenges that you have not only the education piece, you've got DevOps engineers who want to help you go faster to build pipelines to provision to deploy. You have security professionals who are trying to stop this and to look at the threat and risk models for deploying into the wild. And then you have end users who are voraciously trying to consume this stuff. So it's super challenging to have a security tool or platform that can meet all of those needs and to help all of those professionals get what they need out of it. And so today, if we were trying to think about distilling this into a few security problems, I think it would be these that you can see on the screen. Many security tools are difficult to use. I think of some of the proprietary ones that I've had to use in the past and the results come out in many different formats. Often the recommendations from tooling will be an Excel sheet that you'll have to digest or maybe there will be, or that's proprietary, right? That scoring is only relevant to that tool. That kind of bleeds into the next point which is that they're fragmented, right? You have tools that are all over the space in terms of where they actually touch. Lots of tooling around images these days, OCI images, lots of scanners around specific spaces where you can think about is this image from a certain registry but there aren't tools that tend to be generalists and the tools that are generalists don't tend to work in a depth across all of the different segments in a similar way. And so people find themselves thinking, well, do I need this? Do I need this? And with that proprietary angle it makes it even more complicated. I gotta spend $80,000 a year just so I have a suite of tools that can do all the things I need. And finally, once you've got all those tools, well, do they actually detect if my manifest has a misconfiguration, right? Or am I just looking at if my Linux kernel has the latest modules? And so there's a gap naturally in that area. If we were to try and put that all together into perhaps three key themes, I think it would be the following. Hardening around the actual node of Kubernetes, right? And at the packages of the file system of the way that you're able to interact with that system is a super important challenge. And that's what many of these tools look to give you an assessment of. CICD, so the actual provisioning and distribution of software on top of Linux, on top of Kubernetes is fraught with attack vectors, right? Anything from man in the middle to poison registry attacks. Being able to actually provision the right thing onto the right node and you know where it came from and the provenance of that is extremely compelling. And the last thing is, how do you do all of the above? Plus being able to say that your regulators can come in and see you've got an audit log and your FIPS compliant, your CIS compliant. You follow the latest NSA hardening guidelines. So it's an absolute headspin of how do you get anywhere near being successful with security for Kubernetes because it's super challenging and it's a real landmine and minefield. So how does open source play into this? Well, open source is often at the bleeding edge of innovation because people are able to explore ideas without there being a commercial incentive necessarily. And so when we think about why is open source been powerful, think about why is Linux or why is Kubernetes been powerful because it gets a inertia behind it and because bad ideas are often pruned and good ideas are often grown. And so that's why we like to think that with CharnCubes and Cubescape we've got a marriage of two very important open source products that can come to give you this solution for security. I wanna take you very quickly through what CharnCubes is. The TLDR of this is it's upstream capes plus an operator lifecycle management system, right? All the bells and whistles of conformant capes and all that jazz and we keep it all up to date. It's got CVEs that are automatically squashed and we roll out revisions nightly, right? Your capes goes and runs and let's say there's a critical CVE in SED you automatically get that fix, you do nothing. It also runs on top of secured Ubuntu as part of this stack. So you get live patching on the kernel. Not many people can boast that, if any. And then all this blurb and text you see here are all the other bells and whistles that we do that many other companies compete in that space against. But the thing that I think is the differentiator is really our story about how we get packages to you in your Cates cluster. You'll hear me talk about Juju a few times. Juju is effectively our provisioning and operator lifecycle management system but we also support CAPI and we're also looking at other ways to bring Kubernetes to you in the format that suits you best. In terms of that story I mentioned a moment ago, right? In terms of like those three pillars how the heck does any of this stuff relate? Well, the hardening aspect from what I think about is canonical works very hard to make open source accessible. And so what we do is we're now starting to think about well, FIPS shouldn't be something that's just for proprietary use only. Let's harden Kubernetes with FIPS. What does that actually mean? FIPS means that you need to have certain crypto libraries inside of your Golang build engines and your runtime of Kubernetes. So the cryptographic hashes that it's creating match the FIPS hardening guide. So we're doing that. This year we're releasing FIPS hard microcades, great. How do we think about CI-CD? Juju allows you to have consistent multi-cloud CI-CD approaches. In fact, Juju really works more on the reconciliation base than the CI-CD push base. And what's really nice about using Juju is you have consistency across clouds. So way less misconfiguration comes in there. And then the last thing around governance and compliance is coming back to that angle of, do you have accreditation? Ubuntu is accredited in many different ways, ISO, FIPS certified, et cetera, and we're starting to bring that into Cates now. So NCSC, for those who aren't familiar is the National Crime Agency in the UK. We've just gone through a review with them as well as other organizations across the world to make sure that we're pulling in the highest standards possible. So that in a nutshell is why I think charm Kubernetes is interesting. And let's move on to Cubescape. And David speak a bit to that. Hi, so I'll take it forward from here. And then we would also explain exactly how the two beautiful products can integrate in a seamless way. So what is Cubescape? Where did we start from? So I'll give it a really quick recap. What happens is that as Alex explained the three different main driven points that drive us over here is there are many tools out there. Not all of them work, know how to solve all the problems. And a lot of them have a lot of different holes in them. So we came with Cubescape with an idea of having a single tool that's built for developers, that is built for DevOps, which means it's easy to use, easy to integrate with, and that it covers your pipeline from the development, as a VS Code extension, through the CI, which means with GitHub actions or a circle CI or other, and also in your cluster with a CLI tool and also with the home charts you can install in your cluster. Next slide, please. Yeah. So and now Cubescape really comes to answering multiple questions. But what we really, we point out over here is first of all, we give you the best practices. So if you want to be compliant, we have NSA, we have Mitra scanning, CIS benchmark, we show you where are you related regarding other of your clusters and how compliance are with these different frameworks. We also, Cubescape can also show you, can identify and also can prevent some security drifts. That means Cubescape will tell you if you right now published a new namespace or resources with more security issues than you had before. So Cubescape will notify you on such things. And in general, we have over here a continuous Kubernetes hardening, which we can give it, Cubescape gives you remediation advice of how to fix your issues. You can also scan a recurring scans. That means not only once a year or only when you deploy your components, but also once a day or once a week, et cetera. So if there are any new CVEs, Cubescape would right away detect it and alert the users about it. Awesome. Thank you, David. And I suppose as we come on to this question of how do these products merge together, it's important to take a step back and think about what I mentioned a moment ago on that whole operator lifecycle management piece. We think about operators as charms at Canonical. And these charms are open source, and they're effectively little Python packages that wrap around whatever you might have. So you might have an existing Helm chart. You might have an existing set of manifests, or it might be something more basic, such as just a customized script. What charms that you do is right hooks into that. So on create, on delete, et cetera. And that behavior, you could say it's the same as CubeBuilder. CubeBuilder does that too. But where charms differentiate themselves is that they are data-driven and that the charms expose interfaces to each other. So we could potentially have an engine X charm and relate that to the Cubescape charm and add capabilities for it to say, oh, I know what you do. I'm going to add it a watch on your ingress, or I'm going to do X, Y, Z. So charms are a way of building effectively data-controlled operators that have their entire lifecycle management. But also what they do, and I think this is from our perspective, why it was interesting to collaborate, is they let you go fast, right? The charms are completely tailored and they are mature in the sense that we know the charm will always work. It's like when you do Snap, Install, CubeControl, you basically know that 99.99% of time that should work or install Docker with apps and Debian. You know that that worked, and if it doesn't, something's pretty wrong. And so we do the same approach with this and it's kind of low ops. And that's really where we're coming from here. In terms of what I want to hear from ours, I'd be really interested to know, David, from your perspective, how do you think about Cubescape as a charm and what do you think of sort of the things of why that's useful to end users? Yeah, so it actually really comes together pretty nicely because also with Cubescape, we look at it in a lot of ways as something that we want to install out of the box. As I mentioned before, it's built for DevOps. That means we don't want the DevOps to start struggling over here, calling support or having dedicated opening tickets for support tickets. We want this really to work out of the box and it should work out of the box. And coming, connecting this with charm would give it a very nice boost towards that direction. So if you're already working with charm or if you want to work with charm and you also want to work with Cubescape, these two products can go together really good. So one of the ways that when I think about this, I was before this webinar, so trying to draw this out and visualize how these things work together, it's very clear when you put it into something like an illustration here. So the orange components, if you think about those as charm and you think of the blue as Cubescape, they're complementary. So charm gives you the guarantee of hardening on your cluster, updating packages, and being the person that's responding to a lot of the things that Cubescape is going to point out to you. What's really interesting is where Cubescape comes in and provides you that value. David, it'd be really interesting to hear a little bit more around one of the things I've highlighted here, security gating. Why is security gating useful in the CICD? So first of all, there's always the obvious answer, which is every, there's this very known slide, I would say, that every hour of developer is like in the development phase. And it's another 10 hours in the testing phase and then another 100 hours in the production phase. So when you try solving your issues, obviously, in production or when you start looking into security hardening in production, and you're going to spend much more time on it, whether because you have different health charts with different values, et cetera, that you would now need to track back to the origin of them, are for various different reasons. So if you have this built correctly as a CICD pipeline, it would save you a lot of time. And this is really where things come together over here with having it first for setting up your security from level one from when you start developing it and again, through the pipeline and again, securing your applications and being compliant also when you run in your production systems. And that makes a lot of sense because I think, as you say, catching it early and shifting left is a critical way of actually making sure you don't extrapolate the amount of time that gets wasted. But also, you've got this other side of things as well, which is the active scanning. And in the diagram, of course, it shows things like artifact images, but that's not all, is it? You also have sort of misconfigurations and active scanning in terms of what's going on in that cluster. Can you speak a little to that? Right. So we focus, Keepscape would focus mainly on the application side of it, I would say. So Keepscape would not only scan your images for CVEs, et cetera, but Keepscape would also scan your configurations, your YAML files, et cetera, for misconfigurations. Keepscape would also scan if you're using cloud providers, et cetera, so Keepscape would also take a look into those configurations. Again, CIS, if we look at the CIS frameworks, so we need that support as well. So yes, so definitely you obviously need the infrastructure that would be a good and protected infrastructure, but also the application, you need to make sure that your application is also following the guidelines and the hardening of the different security frameworks out there. And that's where it gets quite interesting because you mentioned CIS, and so for example, let's see, there could be a CIS control that's failing because the manifest is doing something that shouldn't be, it might be doing some sort of privileged thing on the host. That's where we try to also meet, and the orange box is here by making sure the host itself is hardening. So you're kind of really squashing any opportunity for there to be an attack vector. And I think that's a really nice illustration of where these two things come together successfully. So we've spoken a little bit about kind of the why and the how, it's important not to look at sort of the, let's get started with this. And one of the things that was really exciting was because Charm Hub has become the de facto way of getting your operators and getting your Charms, it makes it very easy for anyone in the world to just do effectively a one-liner install. And so I was really excited when Cubescape was published onto Charm Hub because as we'll see in a moment, it makes actually fetching it from anywhere super easy. And just to talk a little bit around this, you'll see things like stable, five, et cetera. Charm Hub supports a similar theory to Snap where you have channels and you can put an edge release, you can put a stable release, you can put a dev released. And you could even say, hey, this is something specifically for that architecture. And so I think what we're trying to do is again, coming back to that idea of low ops and zero ops, we want Cubescape to be on clusters that all of our end users are running because we see an immense benefit there. And by lowering that bar to entry, just like we do with things like microcodes is that people will be like, yeah, I'm gonna check that out, I'm gonna try that and see how it works. And then they'll start to engage with the team at Cubescape and engage and say, hey, yeah, I found this thing, how's that working? So that's what gets me excited is to think about all those end users that are now available to reach. So with all our talking, maybe what we should do now is to hand over to Vlad to give us a bit of a demo. Sound good? Yeah, sure. Hi, I'm Vlad. I will be taking over with a demo and I will be presenting my screen now. So as Alex mentioned, we distribute Cubescape as a charm and it is available on charmhub.io slash Cubescape. To install the charm, the only thing that you need to do is to deploy Juju, have it set up with your cloud and follow the instructions we provide in the charm. So in the charm, I'm sorry. So I have Juju deployed already. I am running a micro gates cluster locally and I will right now bootstrap a controller that connects Juju to my local micro gates. To do this, I run a simple command Juju bootstrap micro gates with the name of the controller and it should bootstrap the controller for me. So Juju will be able to talk to the cloud, manage its models and perform any operations necessary for your deployment. Those takes some time, but it's generally quite quick. Just while we're doing that, it's quite important to mention that you've got at the top there, you can see you've got several different controllers and that's because typically a way somebody might use Juju would be to talk to several different clouds and different clusters and models within those clouds. And so I think that one of the things that is kind of a, I guess a hurdle when you're learning is to get into that mindset of Juju effectively has these almost like bastions that you can connect to and work with. Yeah, sure. And as you can see, I've leveraged already multiple controllers to apply my models in across multiple clouds. So this was very convenient. But right now, moving on with the CubeScape, we, I have already deployed the controller and right now, if I go back to the documentation, we would see that we are required to create models and models are generally the things that encapsulate your applications. So right now we would add a model for CubeScape and this is just one simple command away from you. So as you can see, the model has been created and right now we are good to create an application to deploy CubeScape itself. So for that, we just copy the command and there is one thing to keep in mind is that when deploying the command, I am running on micro gates. So I will be changing the command from the documentation to accommodate for micro gates. And then you will also need to provide your account ID, which is distributed via the ARMO platform. Excuse me, I got it, where I got that. Oh yeah, right. So you have to sign up for the ARMO platform, which is the SaaS offering of CubeScape. Right now, you can see I have my Nefti account. So I'm copying the ID and we're, excuse me. And it's important to mention, this is completely free to do, right? Anybody can sign up and create an account. Absolutely, creating an account is free and you should be able to use CubeScape whenever you have one. So right now we are deploying the CubeScape chart. And when it deploys, it automatically runs a scan of your cluster and given the provided account ID, it will connect the scan results to your CubeScape, the ARMO platform account. So you will be able to see the results in all their glory and the SaaS and review them, take a look at your configurations or misconfigurations that you might have, CVEs and whatnot. So as you can see in the status, the CubeScape application is deploying. Right now it's performing some of it. It's juju zero, it's magic. We are installing the charm software inside of our model. And right now when you see no message, it means that CubeScape has been successfully installed and it's already performing its security thing. So thank you, that's it for me. I will be handing it over to David. Yes. So I'll be taking it from Vlad. Vlad, thank you very much for the demonstration of how to install. And now I would go a little bit through the different views you can see on the ARMO portal. So what Vlad just scanned right now, the cluster he just scanned, I don't know if you noticed, but he called it DW. Thank you, Vlad. So here are the results from Vlad's scanning. As you can tell, this takes, it can take around half a minute to a minute for the scans to appear. And the ARMO portal, it depends on the size of the cluster, but it's relatively quick. Now what we're looking at right now is the ARMO portal. Over here we can see basically everything that you do with CubeScape, whether if you do it from your CI CD, or that you run it as CubeScape as a CLI, or CubeScape as a Helm chart. Again, we wanna have a single plane of glass for everything for your full pipeline. So we're gonna take a look into the config scanning, which is the configuration scanning. And I will show you a very quick tour over here of how it looks like. So first of all, you can look at the different frameworks that we have the CIS. You can also follow up with the NSA framework or with the Mitra framework, whichever one you prefer. And let's say if we take the NSA framework, and we see over here the different controls that are filled with the NSA framework and the cluster that Vlad just ran. For example, in the NSA, there's a control named resource limits. That means that cluster is missing, the workload is missing resources limits. As you can tell, they all of my workloads have a resource, almost all of them have limits. The CubeSystem are excluded, because obviously this is something that you have nothing to do about. But for this demonstration, we wanted to show you a little bit how it looks like. So CubeScape will show you exactly how and where you need to fix. So to tell you that you need to add over here the resource limits, the CPU and the memory. And once you do this, next time you would scan your components with CubeScape, you would see this controller pass of this resource. There's also a tool tip over here explaining how, why is this and how you should change these values in your original deployment. So this actually works out of the box. It's nice, it's fun to use, and it's relatively easy. Another thing we had as Vlad demonstrated, so this is the configuration scanning. We also scan the images for CVEs. So you can have different CVEs in your system. I'll actually take over here the CVE. You can take a look at the different CVEs that we detected. You can also exclude CVs if you wish to exclude. We show you if there's a fix available for that and you can also, if there is a fix you can also sort and filter based on that. And this is generally the views you can see related to the home chart installation. There's another thing that Vlad did not demonstrate, but I will just show a sneak peek of that. It's also, CubeScape can also scan registries and registries and also repositories. So we'll take a quick look at the repositories. So as we're speaking at the CICD, as you can tell, you can scan your GitHub, Azure, Bitbucket, GitLab, et cetera. And this way you can really have one place showing you all of your different issues. That's it. Alex, now it's back to you. Thank you so much. Let me just share my screen again. I think it's a wonderfully good pairing. I think the thing that I wanted to help convey here is that these are complementary technologies and CubeScape makes it easy from my perspective to get people excited about security and they can leverage some of the capabilities in Ubuntu and in charmkates to help them bring them closer to compliance with those controls. So when we really think about summarizing that, the idea is that charmkates enables low ops management. And then when you place CubeScape on top of that, you have a really great one-stop shop for security. And as David demonstrated with those open source features that are being built and added all the time, it's a pit of success, as we like to say in the industry. And so I think that it makes it very compelling for someone to go out there, try charmkates, pop CubeScape on top and actually start to think about, oh, security isn't something that's a drag. I can actually start to look at these things in a proactive way and be successful for my solution and for my business. So I hope that you've enjoyed the past half an hour or so with us. I know that we've really enjoyed bringing this to you. I wanted to call out both of the projects. So ubuntu.com slash Kubernetes, you can find charmkates and github.com slash CubeScape slash CubeScape, you can find the CubeScape project. There is a wealth of information on both of these links. David and I are accessible as well. And from all of us, I'm sure that you will be receiving lots and lots of feedback. If you do want to take part in looking at these projects and a big thank you for joining us today. Thank you so much, everyone. Thanks, David. Thanks, Vlad. Thank you, Alex. Thank you, Vlad. It's been a pleasure. Thank you.