 Good afternoon and good evening. Thank you for joining me today. I'm Jie Hong Mo. In this presentation, I will discuss enhancing the debugging ability for home. This method can effectively apply to home in general, extending its benefits beyond the scope of kill scape alone. Therefore, I will introduce this idea in the presentation and use kill scape as an example to illustrate its practical implications. Before that, I will introduce myself first. My name is Jie Hong Mo, and it removes Mounder's Master's students currently starting at Ado University in Finland, and I will continue my studies at AeroCon in France next semester. This is me, and this is my GitHub and LinkedIn. Then let's move on to the first part. What is kill scape? Kill scape is an open-source security tool specialized developed for Kubernetes. It serves as an early detection system that can help identify security risks, complaints, violations, and misconfigurations within Kubernetes clusters. By using kill scape, organizations can proactively address security concerns and reduce the risk of potential breaches. It is worth to mention that kill scape is assembled for CloudTip Native Computing Foundation now. Here's the contents of the presentation. First, we will discuss about the existing problem. Then I will show my solutions to the problem. In the end, the conclusion will be given. Let's focus on the existing problem. As we mentioned above, kill scape can scan misconfigurations in Hub in Kubernetes, which included humchart. However, hum does not give information about which output line is coming from which input line. We take this as example. We can see humchart use template file and value file to get the rendered file. But after rendering, the results file only provides which source file comes from without telling the output line is coming from which input line in original templates file. So it caused a problem in kill scape. The information can create the correlations between the source and outputs. So for kill scape, there is no backend connection to the original source file after the charts were templated. More than that, kill scape cannot use it to produce correct faces for humchart. To deal with this problem, we need to link the output with the original line in template file to achieve the features of comments is used. In humchart, if we add the comment on the template file, it will be remade after rendered. Therefore, if we can add the line numbers information in the comments, then we can get the line information in the rendered file. More than that, we can add more information for each line to from a mapping node. For example, here we can get the field which is the path of young file. We can also get the values of line 20. And line number, template file. More than that, we can also get the API version and kind for humchart information. So for one line, we can get so many informations here. But the problem is, how can we generate the mapping node for each line? Here are two methods I have tried. First, I use regular expression to get the mapping node. Second, I use young package to get the mapping node. They have similar steps here. First, for the first one, it define the pattern, extract the field and fill a mapping node. For the second one, it use the package to calculate the field, extract the field, then fill a mapping node. Maybe we can all notice that the difference is how to calculate the field here. After a comparison, I choose the second one as my final result. Things, final solutions, things for the first one, we need to define the patterns manually. And there are many possibilities for young file for the patterns. So if I miss one, it will cost the bug. More than that, if we define the patterns in the code, there will be a lot of workloads. So in the end, to simplify, I choose package to calculate the field. And now I can just calculate it directly. But the problem is, the second one is much slower than the first one. For the final solution, it can divide it to two parts. First, get the mapping node, then apply it to Qscape. For the first one, there are four steps. First, add commands to the template file. Then, render homechart. After that, get the mapping node of the rendered template file. In the end, delete the commands on the rendered template file. For the first part, get the mapping node of the rendered template file is the most important part. And it is also the part I will explain in detail in the demo time. Then, after that, we just need to use it to calculate the output line of homechart type file. Then use it to form the fixed objects. Let's move on to the demo time. I will show you how I use the regular package to get the mapping node. Before telling the function, I will introduce the structure I used here first. As I mentioned above, for each line, it can have one mapping node here, and it encodes the object ID, field, value, template file name, template line number. Then, here we define the template node. For one template, it can have several nodes. This one represents a template here, and it encodes like several lines, several nodes. For one file, it can have several templates. We use a circumference to represent it. This represents a file. Then, after knowing the structure we used here, let's move on to the real function I used here. This is the most important function I used. It used file name and file contents as input. The file mapping is the output here. For each file, first we split the file contents to lines. Then, we range the lines to possess the file. We use three dashes here to separate the template. For each template, we will check if the API version and kind is here. If one of them is lost, which means that the YAML file is correct or wrong. It's not correct or wrong. Now, we will just give it. Otherwise, we will continue the process. This function is the function we call the YAML package to possess the file contents. Here is the real function. We define the encoder and decoder of YAML. Then, the stream elevator. In the elevator, we evaluate it. We input the file contents, the encoder and decoder. But actually, we use the expression to define. We will only possess the which line of the file. Then, it will tell the output of the file. It defines the output of each line. It will tell the dusty path and the type and also the value. Then, I will use an example to show you what is the output looks like. Here, it tells the output of the YAML package. Here is this. We have the dusty path and it also has the type and also the value. For one output, it can have different... For one output, it can have different type. So, we divide it to three types. First is the map type and also the sequence type and also the not map type. Then, what is the difference between them? For the map type, it doesn't have the values in the opposite. For the stream type, it will definitely have the values. The difference is the sequence type. This is one sequence type example. For YAML file, we can use this one dash and space to mince the sequence here. For the sequence type, it represents the sequence. After seeing what the output looks like, let's go back to the function. Here, we know what the output looks like in this one. Then, we go back to process the output. We get the output here and for the output, we can get the path. We check if this path is empty or not. If it is empty, it means that for this one, there is no any important information. So, we will just skip it. Otherwise, as we mentioned, for one output, it has many small outputs inside. We use these to split it. Then, we use this function to process each small output. For each small output, first, we will check if it is a map type or not. Only if it is a map type, then we use the map type. We show that this is a map type. We set it as true and use the map type to percept it. If this is not, it means that it's the sequence or stream type here. Then, we can get the value of the result. We use this function and set it as false to process it. In the end, we will wise the nodes to the mapping nodes. Then, we append the mapping nodes to file mapping. For file mapping, it can contain several road mapping nodes. Then, we just output the file mapping. Okay, after the demo time, let's move on to the result. Here are two results. First, with the mapping node or file node, Qscape can give correct locations to the rendered file by homechart. Then, with the mapping nodes, Qscape can provide automatic fixes to the rendered file by homechart. Here, I will use GitHub Action to show the result. Now, I will text this workflow to show the result of my program. Here, I defiled Qscape's game as the workflow to show the result. You can see there are several steps here. Basically, it is the same as the one of the Qscape. The only difference is that I changed the GitHub Action here to mine. So, it will use my own image instead of the Qscape. We can check this step. It will show how it runs my function. Like this one, you can see this is the one same as in my function. So, it selects the line free and gets the result and process it. So, the last two are similar things. Then, after that, we can get the result here. We output the result side feed. Why we use the side feed format? Because for side feed, it can create the result and just upload it to GitHub Action security. So, we can check it in security directly. So, basically, what I change is on the result part of the report. So, here, it shows the which kind of policy and index, and this is the test. So, it will also tells the here is what I add, like the mapping nodes can help. It's like it can tell the accurate star line and also the accurate columns here. More than that, it will also add the faces for this one. So, for the faces, it shows that it is like here the where the problem is. Then, it shows where I have to change it for. It's like for this line, I have to insert this one. Tags like namespace and my namespace. So, this is my changes to home charts for Cubescape. To first, it's like adding the location. Then, the second one is like adding the faces objects here. And it can also show in the security. So, for this one, you can see here, it's like it only has the... Now, it only has the where the location. The location is like I haven't can... I'm still doing the part like showing it the faces in this one. But still, we can see it works. It tells like where the problem is. So, yeah, this is the demo. After the demo time, let's go to the conclusion. My solution effectively bridges the gap in Cubescape's automatic fix capabilities for home charts and provides a workflow to generate accurate fixings. Furthermore, my solution is not just limited to Cubescape. It essentially improves debugging abilities for home charts, which makes it versatile for solving similar problems. In the end, I have to say, I have gained valuable knowledge here and I'm afraid that I can contribute to the advisement of Cubeneer security practice. Based on my experience, I highly recommend the videos who are passionate about enhancing Cubeneer securities to join our community. Together, we can continue to learn, grow, and make a meaningful impact together in the will of Cubeneer security. Thank you.