 Good morning. Good afternoon. Good evening and welcome to a very special episode of get up sky to the galaxy I am joined by two of my fellow Red Hatter's Christian Hernandez and New to the show Michael Foster Christian. How's your day going? How's your pretty? Yeah, it's been it's been crazy. It's been what we call a sprint to cube con right because all of a sudden Wow, cube cons next week. Whoa. Okay. Um, I better get to my demos. So I'm flying out in Saturday. There you go. Yeah, one times one times. I enjoy the enjoy the there was a note that Stu sent to you yesterday That you knew the answer in the slide. Oh, oh, okay. I actually thank you for that. Thank you for following up live. So Also real quick and I'd like to introduce Michael Foster here in a second I'll let him intrude himself. Um, I actually got a new keyboard. There was a saga of me getting my new keyboard It took him eight months folks. It took me eight months to get a keyboard. Yes supply chain issues But anyway, so if you hear loud clicking, that's my new Cherry MX blues. So um, I want I want my neighbors to hear when I type so anyway that aside I like to uh, this is a really long intro. I like to introduce Michael Foster from from the from the AC ACS team Michael if you want to give a little a brief introduction He's from the ACS team former minor league baseball player all kinds of crazy stuff Yeah, going way back going way back. So anyways, uh, Michael give a little short intro about yourself. Thanks for the intro Hey, everyone. I'm Mike Foster on the ACS team formerly stack rocks. We came over April I think was the official date that we moved over. So it's been a fun six months so far and Thanks for for getting me on the show Been around Kubernetes for four years now and you have a diverse background used to play baseball and I went to school in Northeastern Boston. So yeah, thanks for having me. Yeah, I know it's just yeah, it's great. I was um You know going through this it's actually been up been a while. I invited him on the on the show, but Since we had so many we did a show plan and we had so many shows that let's like, okay Well, you can come in October. This was back, you know closer to the acquisition and I Was trying to get around trying to get a You know stat the guys from staff rocks on but very happy to be here You know, a lot of the times we when I talk about get ops and when I talk about The get ops practice. I always talk about it being the core of a lot of other practices you know, for example You know, the latest buzzword is like DevSecOps, right in like Application supply chain delivery and how get ops Really has to sit at the core of that, right? Like it get ups isn't the complete story But it's part of that story and I was I've been wanting to bring in You know the stack rocks over and kind of just you know explain kind of a little bit about You know that that whole vision of having you know security be part of the process not just Not just like an afterthought and then you know continuously monitoring your process Even after you've you know deployed your your application and that that being part of the whole you know speaking a supply chain, right? We're talking about the application supply chain. So so yeah, I'm gonna I'm gonna I'm gonna shut up for a little bit That that Mike over here take over a little bit talk about talk about ACS, right? Talk about stack rocks about ACS talk about that whole ecosystem Yeah, you nailed it. Especially the DevSecOps word that buzzword that you keep hearing It's really it's about breaking that down because it's so high-level. Nobody really knows how to actually apply that and so Just want to show you some practical examples. Hopefully you can apply it to your use cases and When I share my screen, I'm going to Take you through just a couple slides. I won't bore you Everything showing up. Okay, right. Everything's clear. Looks good to me. Awesome Chris, no, you're on mute by the way. You're muted. It's all good. Okay, awesome yeah, so the vision of Stack Rocks and ACS now is to enable organizations securely build deploy and run cloud native applications everywhere and Earlier in 2017 Stack Rocks was a more container focused security Service and you'll hear cloud platforms and container focused platforms that are out there But we really pivoted to kubernetes and it's because kubernetes has a specific challenge That it presents to developers and operation teams that is slightly different from let's say a serverless process. There are a whole array of configurations with kubernetes that are Challenges and if you want to deploy at the speed at which the developers can introduce functionality into your applications You need a security process that can keep up with that So it's about securing the supply chain securing the infrastructure and making sure that your workloads That that that process fits in with the developers and the containerization techniques that you have so that you can securely scale and I'm not going to go too much into these slides But it's just about delivering continuous security and fitting into the process that you have right because if you've adopted kubernetes in any sense Taking a security solution like ACS you might be hey like how are you gonna implement this? So we'll show you and really it's about just full life cycle security of the things that you have to take care of which cloud platforms Kind of leave up to you and in a shared responsibility model. You'll see on the different providers that are out there Yeah, one of the things and To kind of just frame this a little bit. I always I like I like Eric Jacobs I don't know if it was Eric Jacobs or if it was you who talked about Kind of comparing, you know, what when you say application supply chain that It's it's really nice to have an analogy, right? And that's like the analogy of like, you know, you're talking about the assembly line How there's no like dev assembly line, right? Like the you know, like if you think about like Henry Ford and like building a car like building a car the assembly line They don't There's no like dev version of that somewhere Maybe R&D is the dev version who knows but like You know, like there is no dev QA like all that happens in that in that same supply chain, right? So in that in that same it's all that same process like it shouldn't have to be an afterthought It shouldn't have to be something you do on the side, right? It needs to be all inclusive So yeah, and I almost see the security solutions, especially Kubernetes native ones like ACS as the quality control for that supply chain So your developers have already already have an application where they have something containerized so they have their v1 0.0 whatever you want to call it and Now it's just about let's reign in some things and let's enforce it upstream so that all your parts are You know up to size and have the right capabilities and everything is okay. So that your final product is Stable and secure and won't wear down. Let's say that's if we're gonna go with that analogy, but Just to talk a little bit about ACS as I transition is the one that we talked about Kubernetes native It's the architecture if you're used to something like like a fluent D Yeah, or log in controller, right? You're gonna have one central UI and that's the UI that I'll show you in a bit and It has basically all the data analysis the scanning components and it's just pulling information from your various clusters So you can have multi hybrid setup on different Kubernetes clusters and you can pull out all that information into a single UI One of the benefits of this is you can easily onboard clusters and push policies that you already have into your UI into new clusters and new applications as well and then just in terms of the layers for red hat You'll see that advanced security and management are sort of that top layer that you'll see because like a lot of Platforms really kind of only only give you the Kubernetes specific part of that, right? And so how do you grow and scale your cluster and then how do you secure your own applications? that's something that a lot of You're gonna normally need to go to an extra service unless you have bought into the specific cloud provider But that's enough slides. I think we can Jump into the demo We like the like hacking hacking at it until it works. Yeah We'll get there. Yeah, I Let me just move over and share a new screen with you. There we go Everything's good Now it is ultrawide monitor rock and dude. Yeah, is it a little is it a little very tiny stretch? Yeah, okay. Well, you can if you can zoom in That I can do. Yeah Thank you. There we go. They work. Yep. Yep. That was that like to make 300 percent. What did you yeah? I think that's a new record, right? All right, yeah, so to start off We have a have an OpenShift cluster set up. This is fairly recent. I think I said this up a week ago and Nice good reference and Installed some demo applications and installed a couple operators ACS can be installed as an operator in your cluster And I think I have four here. So we have quay. We have OpenShift pipelines We have get ups and we have ACS in the cluster It pretty much is as simple as coming in enabling OpenShift cluster or advanced cluster security for Kubernetes speaking picking the specific namespace that you want. I Called it stack rocks because gotta keep the name alive somehow. That's right. You got a You got to keep that flag going. Yeah. Yeah And once you get in here, you'll see that part of the differentiation of the architecture that I showed you Is there's a central component, which is the UI and all the tools for Analyzing all the information and then there's the secured cluster component So the central cluster component is the one that you're going to want to install first It's deployed initialize. It'll give you the UI that you can go into and then you can Bring on clusters as you go and you can do this in an automated way by basically generating the certificates And then as clusters come online They'll automatically get populated and they'll reach out to the UI to say hey I'm here or you could do it manually just so that you don't have that automation aspect of something reaching out to your UI But you have that capability so with I'll just go right into it have a couple applications installed on here I think I was actually given some pretty insecure ones and I haven't seen them yet So interested to see what pops up now. This is just the main dashboard Which I should probably zoom in on again to 200% so everybody could see And we only have one cluster if you had multiple clusters, obviously, this would show up here You'll see system violations compliance standards. It's your clusters at a glance dashboard and Just to see that we don't have any critical. Yeah, I'm actually very surprised Yeah, so if we wanted to what do we want to jump into first let's jump into violations because It tends to by the way Sorry to interrupt, but so by the way, I told Michael if you go back to violations That first violation is probably like the thing that sold me on ACS the stack rocks is like hey Someone access the cube admin secret Oh, like it like it knows that the ACS knows that and right? Like this is This is something I wish I had like an open shit version 3 Right, right like what was supposed to show you how I have how the How Kubernetes the whole ecosystem has evolved like now we can do things like this. It's like oh man Things as common as someone accessing something getting an alert now seems like oh, that's really cool You would think that would seem like intuitive that you would have in the platform, but sure Maybe not, but well, I mean Kubernetes was so young back then, right? It's like now. We're at that point Anyways, like I was kind of Joking with with Mike here about like you basically sold me like I will you sold me on stack rocks Just with that one line of the violation, but anyways, sorry, I didn't mean to derail you Mike But I just thought it was a really cool thing to see Yeah, that's It there's like cube exec Really commands that show that either Somebody's in production or somebody's in your developer like trying to access secrets or trying to get into a container Those are things you want to alert on which is why the severity is high and obviously it's not enforced right now so by default ACS doesn't enforce anything because you have to go and install an admission controller to do that and there are There is security aspects of doing that as well, right there It's actually part of the MITRE attack framework of exploiting admission controllers specifically mutating ones, right? So it's your choice whether you want to do that and then how you're going to enforce it You need to make sure that you are aware of that as well. So just by default it's hey come in Take a look around understand where your high-risk deployments are and go from there Yeah, a lot of security is just first of all just information right like just what's going on in my cluster. Yeah Yeah, that's exactly it and the challenge and really the The pitch is that you don't want security chasing things that it doesn't need to worry about right? You want to be able to identify the things that actually matter to you and that you can take action on So you're not just pushing things on to other teams that has no impact, right? It doesn't protect anything but Real quick before I want to show vulnerability management because it's one of my favorite sections ACS has a bunch of default policies set in that take your information and apply Kubernetes best practice to them now for example that cube exec one or the Where'd it go? I forget but let's say there's a specific categories or a specific policy It doesn't have to be high so you can create and edit things if you that's how you disagree with the severity of something Or it's a dev cluster and you don't care that much all these policies can be changed and configured accordingly So it's a we can have comments so if a violation pops up and it's something that's continuously there you can leave comments for the next person to come in And you can export all these policies as well. That's pretty cool. So you can say like hey, this was me Right like oh, hey, it was me. I accessed this that's actually You wouldn't think Like that's actually really smart like because I wouldn't never thought to what put like that in like if I was like Designing this but like as an afterthought I'm like, oh, yeah, like that would be cool to put like just some information for someone else That's taking a look at the violation Yeah, and a lot of a lot of this tool is about baselining when we get to the network graph You'll see it as well It's there are you have to accept an inherent amount of risk and that's why risk is such a cliche thing to say in Security right and just risk in general to define so It's here's the information. Here's the Best practice the things that you need to worry about and then it's up to your security team as to how you want to enforce it We're not going to some security tools tend to be very opinionated about what you're supposed to enforce and That can lead to like false positives or breaking builds that you're not that you don't necessarily want to so we tend to err on the Kubernetes approach to hey come into the cluster. Everything's pretty much wide open and then you can go from there and and Really secure right because if we had network policies enforced by default in Kubernetes, I'm pretty sure it would not have got adopted Well and also kind of like one of the One of the things about security and especially like vulnerabilities especially for the information is like well Not not everything like requires action right like it's it's a little difficult to explain where it's like Hey, I scanned the red hat official image and all these Severities came out like well like did you actually read the CVE's like some of them? Yeah, like it may be just information Do something to invoke it right? Yeah, exactly Or like maybe it's mitigated or like maybe it's you know, yeah, this could be a lot of a higher level anything Yeah, and a Lot of I don't want to Let's just say that certain tools and certain providers and things like that. It's just here's the CVE you need to be aware of it but then if you're using rel or something like that it should be Okay, we really don't need to let you know about every single CVE that's out there It's these are specific to you. These are the things that really matter or I mean even even if you have Vulnerabilities in your images. It doesn't necessarily mean that they're exploitable or really active at any aspect in your container being used so there's There's things that you can do to basically say hey, these are the fixable Aspects like these are some things that you can't fix but do you really need them in the container? Are there other options? So, yeah, it's just about triaging accordingly, right? So we got a question in chat here guys Is the ACS operator supported for disconnected clusters? I believe so. Yes. I can yeah You kind of have to ferry all the no container images and everything in to your environment But after that yes, and there you should be supportable Disconnected yeah, and you'll set up a mere repository or something like that to pull the vulnerabilities in every month or so But yes, yeah That's good question and stack rocks is pretty much always supported that from the beginning. I don't yeah, so Yeah, I guess at that point it'll be just more manual right like right now. Yeah, you know stack rocks will it will be or ACS I better use the product name Is reaching out and you know pulling though that information I would imagine and disconnected you would have to You know sync that yourself. You got to ferry the the the info data and As well as the images Sneaker netted in and your little floppy. Yeah, so I will say one of the riskiest images that we have here are the the workshop some of the demo applications that we've set up and It's always funny because riskiest is very uh, it it just depends, right? Yeah. Well, it's what's funny. It's like it's Relative to your cluster, right? Like if you have like if everything's perfect and you have one medium, right? That one is technically the riskiest, right? There's a there's actually a question in the chat and I think you're gonna get this a little later But I'll ask this now. I'll feel free to punt it down. It says who who resolves the CD E's. Mmm That's a great question. So you've identified a CVE if There is maybe it just needs an upgrade so maybe you push to your devs and you say hey build this pipeline right now or Maybe you you understand that you need to change versions or something like that if there's a quick fix Normally when CVE's are released, they tend to come with a fix associated with them by the application developers if something's major Most likely that will so if a new CVE comes out and it's something that's high level You you'll get an alert that hey, this is something that that can be fixed and is relatively new It just needs an update. That's one example another one would be there could be a vulnerability that Doesn't necessarily it might be rated as low or you need a specific exploit like you need Let's say you need to have access to port 80 or something like that. Well, Python 378 with port 80 open Yeah, your screw. Yeah But realistically if you have the Configuration file and your deployment setup properly and your network policy setup so that that port can't be accessed It's not really an issue, right? So there's more to just hey I have a vulnerability to push it so that we can make the change at the build stage You don't you might not need to and that you might want to get to that eventually But that's the high priority for the team, right? So there's more conversation. There's more Context that needs to be added. Yeah. Yeah, because this here like this one here like I'm looking this looks like this image here By the way, it's my image. I know I'll admit it. This is one of my test images, but Michael's like, well, do you have you know some some test images? Oh, I got all I have some images that all light up Like a Christmas tree, but it looks like some of these It looks like I just need to rebuild the container right like I just do a yum update in the container Looks like specific to this one, right? Like this one's Apache. Yeah, so Have been updated with the new collections So you need to do an update basically and then if you want the full CV description to understand a little bit more You can go there as well. And and really that's If you're gonna go to the overview if I were to go back To the main screen If we sort if we view all and we sort by fixable These are the the ones that we want to focus on especially the recently detected ones So the biggest thing about ACS is the the longer it runs the more you get a baseline for what your services should be network images that are running users and You'll start to see okay. There's a change. There's a new CVE from the newest update It's a fixable one. This is probably something that's recently come out that just needs an update or a patch to do Let's prioritize that right So someone asked in in the chat The stack rocks has own dashboard UI like OpenShift or satellite. Yes, this you're you're actually looking at it It's just it looks a lot notice top left Yeah, yeah, we use a common kind of framework called pattern fly here at Red Hat So like our applications kind of look consistent as a result But the logo in the top left is the dead giveaway. Yeah, so the answer jazz. Yes, I Believe you can put your own logo up there if you're feeling yeah Totally can yeah Yeah, there's there's there was this competition Yeah, we did we did a console customization competition last yeah console because yeah, we did that was it last year on my year like it's Like go back and look it up folks I'll find the link and drop it in chat, but it like some people do some really cool stuff with their Yeah, so yeah, and there's links to like the repos and everything I'll go find it sweet And then Well, since we were talking about fixable CVE's I figured I'd show you this dashboard We can look specifically we could sort by fixable. We can also snooze ones. So Let's say as your security team you've installed things and you're obviously there's a ton of containers running Really what you want to focus on are things with a high CVSS score Things that have high impact that can be exploited And also we want to look at the amount of components and deployments that are associated with it Right, is this something the the more prolific this is maybe it's a part of a base image that you constantly use in a lot of your applications That would have a big impact to fix right that's something that it's like hey everybody Teamwide we need to just go and upgrade this specific part Or we need to pull a different base image to make sure that this is that this has changed and that will have a significant impact So this extra information helps you triage Yeah, you can also like I can mitigate that with like ubi right like if you're using red hat ubi and you know You know like your your cluster is like well, you're you're vulnerable But like if all your images are based on ubi you can probably just update your base image You know at one place right and it should cascade right across your environment Definitely, I don't think I've actually done this yet, but um Yeah configuration management This this is the other aspect and this is when when we talk about risk in this dashboard We're pairing vulnerability management and the images themselves with the configuration of your application in the cluster So there are other things That and policies that violate They have basically best practice here. So curl in an image right being able to Pull if you don't need curl in the image don't have it there um Using add in in your in your in your images secrets mounted as environment variables. That's one we see pretty often Old images so this is Pretty common, right? I think christian your your image probably failed that one Yeah, yeah Yeah, all these are probably mine. Yeah Yeah, so you can see the policies that are being failed and this is this is cluster wide so Maybe you make an exception for specific ones But in general, this is a a policy that you want to have and of course you can change the the format You can make it 120 days. You can make it 60 you can make it two if you wanted to And just there are also little things, you know, like required labels and owners, right? So you can enforce best practice and this can be done Earlier in the pipeline too if that's something that you're interested in But it all culminates with uh, basically a risk assessment That's highlighting the riskiest deployments and it's giving you a priority score of what you need to focus on So we have some very severe violations environment variables containing secrets and some fixable severity Some fixable vulnerabilities that you need to uh to get to You're uh pulling the curtain here on my image Yeah More like pulling the rug out from under it. Yeah, exactly And as we go down to there's uh, so there's a little bit about the service configuration So no capabilities were dropped. So assuming that there's no security context on this deployment, which means it has full capabilities not great Volumes are mounted with read write ports exposed components that are useful for attackers so This image contains bash crawler bm and yum and has no components dropped That's a severe. That's something that you want to fix pretty much as soon as you can number of components in the image Yeah, so this is obviously a A larger image. There's 227 components So basically we scan the docker file and you get a list of all the components to to go and take a look at And then you obviously have the default service account as well So this is probably one of the riskiest things you could ever do in the cluster And oh and look at this this image is over what three years old four years old About three years old yeah So everyone look away Christian i'm not calling your baby ugly, but your baby is ugly It's a really ugly baby Oh and also i'm using my sequa should probably switch to mariah db. There's just all kinds of stuff wrong with this The list never ends But if if there was a security context, it would be here. There isn't Although you do have the resources set up There you go. That's the one one. Do you think you're going? half a star out of That's exactly half a star out of point five. You got you got a five. It's just yeah Yeah, it does some point moved over one Now the nice thing is on the event timeline you have no policy violations of actual running processes so even though You have a specific process they're running you haven't Violate anything, but if we were to view the graph we can see when specific processes were run in the event time And what's useful about this is you can set up alerts. So I could set up alert on something that is a quote-unquote risky deployment to say if Uh bin slash slash sh gets run alert me send me a notifier So what you could do is let's say you know that you can't um harden your image in time or Your dev team says hey, we're gonna get to this but it's gonna take a day Okay, well, I'll set up a notification on this image for the next day So that if anything happens in the day I get alerted right away and I can go and destroy that pod Yeah, that's pretty cool. So that way you'll have So like all right. Well, you know in case something happens While they're fixing it I can be notified right I can send it to pager duty or a webhook or whatever, right? Yep, and if you because we use the admission web controller for enforcement, let's say There was a process that you didn't want to run and you wanted to Stop that process. Well, all we do is we just kill the pod Because unless you want to kill the deployment you kill the pod of that process The service is still up and it just goes and brings up another one So something as simple as simple as that if if an attacker was able to get access to the pod They'd only be able to run one command They get kicked out right away and then they can try again and they're gonna keep getting kicked out But then you're gonna get notified and you're gonna make an adjustment and It just allows you another Sort of layer to to respond without having to shut everything down. That's an option Yeah, we would just say Yeah, just pull the pull the ethernet cable off the wall Well, what I find surprising is that I actually pulled an image. So like I was Um, I pulled an image from docker hub that I know that was pretty old and yet my image was still the highest Somebody has better stand Well, they probably have a built pipeline right like right exactly You probably just were like, hey, what's vulnerable put it all in. Yeah, does engine x even appear Does engine x even appear on this list? I don't know. I don't think so Yes, I mean there I don't know but there you go I do I do want to show the network graph and a little bit of the pipeline I set up before we get uh Caught up on time. Um So yeah, this is the network graph It would look a lot cooler if I had a load to run against this cluster But since it's pretty new we don't have a lot of connection information But typically you have this active and allowed view So you can do both So connections that are allowed and active ones that are currently being in use The blue sort of signifies that a network policy has been set up red means it hasn't So these are Ones that you definitely want to go to and say, hey, there's an anomalous flow And we need to make sure that network policies are set up for these right now. There isn't And there are a bunch of updates available too. So this is definitely a cluster that needs some work And one of the best things about this honestly is the baseline So this is baseline traffic. Uh, let me go back here Yeah, so for the scanner scanner database Um, there's two baseline flows. It's basically scanner. This is expected Right angress, um in the namespace stack rocks. What's not expected to The ui is all of the network flows in the cluster So this is something that's picking up. It's like, hey Um, you know, these are open connections. These are something that we're not expecting Now we can add this to baseline Or we can, um, basically generate a network policy to To account for that So you can simulate a network policy And account for the network changes and it will recommend an option now There hasn't been really any traffic in this cluster. So the network policy isn't really going to be Accurate So it thinks that there's a lot of connections and that's what you want Yeah But the other thing too is if you set up your baseline and you say, hey, these are the three connections that are part of the baseline anything that Breaks that you can alert on So this is really useful, especially for You don't want to alert on everything, right? But let's say you have databases or you know sectioned off nodes that are for specific workloads You know, those will show up in your network graph And then you can click on that and say anything to and from these specific pods these specific deployment resources I want to be notified if it violates the network baseline That's pretty cool. So it not only um, will it notify also see now i'm sounding starting to sound like a customer will it notify also if um If there were if I have a network policy set up, right and it'll block traffic Can I get alerted on the attempts as well? not just Um, it depends on where it's coming from Oh, that would make sense right if it's a monitor like certain. Yeah, okay. Yeah, if it's in the cluster um, you would get Like let's say an application was using some network tool to get at stack rocks, right? That would come up as a violation of runtime in that application in the cluster So that would be logged, right? If it was an external entity trying to get at the api That would just depend on where it got blocked All right, so we got an interesting question in chat here speak, you know um Navin ask we saw one internal Dependencies repo From image tried to pull updates from public git repo Security captured that anyone experienced this I feel like that is a very common use case yeah, like There's a lot of developers that are going to be like hey You need this file that's going to come from git or hey, you need this dependency Go pull it from git because they want a specific version of that dependency um Yeah, I just if you just if you take look at your go mod file, right like it would right It's like pulling from random git repo sometimes. Yeah, like that that's just kind of how go works, right? Like it pulls from github that blada blada pulling as dependencies Yeah, and you're going to have a bunch of different teams that don't have the same application don't code the same way So maybe you have one application that has to run in a knit a knit container or three knit containers And has to pull information or secrets or variables or whatever, right? What you can do is when that runtime process At initialization is known Well, you can flag it as a baseline to say this is a normal runtime process This is for this team. This is expected And then alert on anything that isn't Those, right? So It's it's kind of one of those. It's uh that you need the flexibility You can't just say any time that we're going and reaching out of the cluster for for packages or dependencies We want to stop that, right? and Yeah, no your apps will break. Yeah, and and what um Some dashboards I should say when they have network tools that don't actually use kubernetes specific um functionality They might be in a dashboard and just say hey, well, there's this weird network reach out. Okay You know, let's just block that IP address or that that's specific, right? So There's no real conversation between Where the firewalls are what's getting blocked what isn't and it's it's like a box around the cluster not letting things in So there's there's just a different layer and that's not saying that you can't use that tool and acs Right, you can have the external firewall and then you can have the network policies and the functionality in the cluster, right? It's also just how you communicate that information between teams right Collaboration is key is a theme. That's right. That's right For sure now I think I have that's this default one that I kind of want to show This is a old old docker demo very old and There's no network policies And I built this in github and I pulled it using argo cd no security contacts extremely probably Pretty insecure. Yeah Let's go find it actually I'll just hop over to to docker hub and give you a quick run through of what's what's happening here Actually github is probably the place to go so I was thinking like how do I sort of build this process where We can enforce the policies of acs in the build process for developers Or maybe not enforce but educate Well, we're still letting them deploy and then we can come back and say hey watch out These are things that you need to fix before the next release and you can consistently notify them over Let's say the next six weeks And if they don't fix them then you say hey, okay. Well, I gave you time to Fix these and yeah, you're not communicating with us. So I was like, okay Well, let me pull an image and see what I can work up and github actions Even though github actions is not extremely intuitive Yeah So can um Can you zoom in a little bit? Oh, yeah, please. Good call. I should just set everything to 250. Yeah There we go. There it is So in this in this setup there it's basically just a uh, let me show this if I can zoom in on this one It's this little docker labs getting started using mk docs and Basically initialize it drop the file in it's good to go and what I did was Took that and created a build yaml. That's a pretty big build yaml, but Logging into docker hub building the image But then i'm doing a deployment yaml yaml check an image scan and an image check after and so the benefit of this is Let's say your developers already have their workflow set up and they already have their build process or their ci process for their build and they're pushing Well, you can take rock ctl and go and install it at the end of these processes and then pull the security information Close to them and display it to them without actually enforcing anything and so then you can have that conversation about These are some serious vulnerabilities that if you do not fix you will not be able to push to production Right. These are the high ones. These are the ones that we care about And you can set all this and build into the pipeline And you can test it without really interfering with that team, right? And if I go and show you I've Had so many failures of this, but I finally work got to work the Scroll down So the build is well if you use docker, it's pretty straightforward. You have all of your layers what is Really important is we install rock ctl and we reach out and make sure that We have the variables needed and then what we do is we run a deployment check So what this is going to do is it's going to reach out to the ui hub Pull the policies that are set up and it's going to run them against the deployment yaml that we have so This one basically just fails right away because there's a bunch of stuff that isn't set up And you can choose whether or not you want it to fail or not. I have this as continue on failure Because we don't want to break the pipeline. We don't want to impede developers, right? We just want the information and we want it so that they can see it Same thing with the image scan I didn't format this all nice and pretty unfortunately, but Uh, it has all the layers and if we scroll through We'll see that there are some serious cvss scores with this Yeah, and so if I wanted to Yeah, I take and really what I would probably do is I just take jq pipe it into a file And then just you can literally have it automatically sent as an email To a developer on the build right or something like that depending on what you use for your ci process, but It's just kind of a hey is everybody aware this this build just um You know, maybe it's not merged into the main branch, but this is a pr This is a feature that we're adding and there's some serious vulnerabilities with it And it just makes everybody aware of what's going on. So there's the yeah, that's it's pretty cool that you can build it into the ci process because Especially like if you're doing a feature branch like you were mentioning you can have you can have it pass Right for a feature branch, but then they have the information to where like hey by the way when you merge this it's not we're not going to allow to merge until um These are fixed right and so that's this the whole get workflows thing where it's like, okay You know your your ci told you that you know, here's the vulnerabilities you need to fix before We'll even allow you to merge this feature branch into the the main branch. So This is that which which is pretty cool, right? It's all about information. It's all about Fixing it earlier and often Yeah, and the reason that we designed it as rock ctl, although I don't know if it's going to turn into acs ctl I get kind of like rock ctl Is so that because it's a binary you can go and install it in a lot of different ci pipelines And you don't need to worry about integrations. It's pretty much Plug and go in in a bunch of different setups and because we want to be cube native and be applicable to a lot of different use cases It just made sense There also is a difference between Image scan and image check Image scan just shows you cvss Pulls information and compares it image check actually runs that against the policies that you've set up So maybe there's certain cvss And vulnerabilities you don't really care about Well, we let's work on image check policies that we only care about specific things So for example the docker file here the image has root So this this itself isn't that important because if you get into kubernetes and you have your security context this drop all It doesn't really matter It won't it won't run anyway, but but now it's like okay. Well, which layer matters because the developers in care They're always just going to leave it as roots. Okay. Well, is that a practice that we want to stop with the developers? So again, like not every policy Is important and it's up to you to kind of figure out And have the conversation with the team to say maybe we should drop root because We know we're leaving your security context wide open. You can't have both, right? Yeah And then obviously this fails, but continue on failure is And what I did after that was I went to argo cd And I can you zoom in? Oh, yeah Good call and I oh i'm got degraded. I don't know what happened You didn't pass the security check that's probably but uh Oh I made you pull back off. Oh, because 3.0 Maybe I messed up the uh config This is 1.0. Uh, so you rolled back Still got to work on the pipeline a little bit, but what uh what I kind of wanted to show is if you Let's say you you have that github pipeline and it's continue on failure And then argo cd automatically goes and pulls it into let's say your test environment If there are certain processes that you really care about or certain Policies you want to enforce well, then you just go into that CI process and you say we're not going to continue on failure anymore, right? So part of the implementation is maybe it's Here are the policies you need to worry about you have three months to come into compliance And then we're going to stop allowing this continue on failure into your test environment, right? So there's There's like a a given a take and you don't necessarily need to come in and enforce everything right away And uh, you can be a little flexible in how you set it up. Yeah, you don't have to drop the hammer Immediately you're just have to say the hammer will be dropped later. Yeah Right course hammer will be inserted here Exactly And then the other thing that I did want to show too is there is integration obviously into pipelines So we have an example of a rocks ctl pipeline the pipeline run where we Where we cloned the workspace We ran Wait, is this the right one? I think it's the other one. Yeah And we ran rock ctl against it we found Three alerts found based off of it. So as as part of your pipeline You can Do a lot more honestly in this then you kind of get have actions And I'd I'd recommend this is the the next thing I want to work on is Just the build the check Checkmark, okay config good Are you ready to deploy and then that's the manual stage at which you say yes So you basically have parallel pipelines between configuration and image. You're violating them all Are you violating them all? You're checking them all against your policy standards And then and then you can choose manually to deploy it or not anything else Any other questions and of course From a management standpoint. Yeah, you can look at your different clusters. All the system policies are here You can reassess them. You can import specific ones. You can create new ones policies summary severities And you you can export them all through the the api as well if you want to back up and go and redeploy somewhere else So SIG stores in the news again today for some reasons and I'm curious Is there a policy that says like this image need has to be signed? That's in the roadmap. It's coming. So the the image signatures and Is in the roadmap? Binary authorization is already thing. I think really only google has it operationalized at this point Right. Um, that i'm aware of other. I mean, you can you can obviously do an open shift with SIG store as well That's right. It's it's been it's been an option for last year and a half. I believe so Um, but yes, the integration into acs is on its way. Nice. Yeah, so that's that's like one of the um One of the things that we're asked for for a while is image signing In terms of uh, you know blocking things that aren't signed right and um, you know, that's like that's like a big thing, right like I want to I want to know like there's um You know, there's there's alerting right and like there's a kind of like kicking back sort of thing But like there's also flat out like stopping even before even touches my cluster, right? Yep So, um, I know that's that's gonna be that's gonna be big because that's I know a ton the ton of people have been asking that for a while So, uh, it's great that it's on the roadmap. Mm-hmm. It still is only at the container level so I would warn people that if that's the The next bulletproof thing that you're you're worried about just because the image that you built is the same image That's running in the cluster consistently doesn't necessarily mean Yeah, correct that you're secure you can build the images obviously and you can configure them improperly. Yeah Yes. Yeah. Yeah, like you you can sign an image. That's a bad image. So like let's let's not let's you know Again, everything's a layer, right? You're just stopping any injection in that in that ci process, right? correct, right like it only matters if You've built a securely to begin with right so like I can sign my crappy image. That's running Right, but that that doesn't necessarily mean it's good. Yeah, doesn't mean it's good It's just that it's a known crap. It's a known image. Yeah, it's a no. It's a known a known bad image. Yeah known known evil known evil, yeah It's bad, but at least I know no one has injected anything in my bad image. So um I also would Probably get in trouble. I really should show this a lot more the so that the policy violations and CIS Docker standards and and all this that it comes up. You can export all these as well. So When you have audits or Things that pop up Very very useful. If we look at some policy violations You can see the categories here of the violation of the the policies that they're violating for example, like docker cis and Docker cis 4.1 and you know exact ensure that A user for the container has been created every time So there was a couple that were running as root, right that we saw where there was no user that obviously violates the the benchmarks And so if you got audited for that standard you fail. Here's the here's how you rectify it make sure that all your docker files aren't root So we were talking about that as part of the ci process too. So that was uh, it's like, hey if we're going to pass this audit We need to enforce this on our developers. So you have, you know two months to get in line with that, right? Can you you see you can export it so is that uh, so I have two questions on that So like one is that like a csv or something or is that um, is that just like a pdf? Yeah pdf. I believe you can You can do and see um in a csv. Although maybe I'm missing something This dashboard. I I always believe you can export in a csv and a pdf Okay, cool. And then is that like an open api like can I automate kind of like I always think like is that an api I can I can hit and I just automate because all right, cool. Oh, yeah completely the um If you want to check I don't want to go to help docs right now But the documentation is online and um has all the the api documentation as well that you can pull from and so part of the the policies that you create so these system policies Is uh that you can export them clone them and edit them so you can pull them into json format Have them all and if you want to make changes of the policy, you don't even have to go into the ui you can Work on them separately and then just push them into uh through rock ctl And let the policy nice nice so you can Essentially customize the policies for your not not only just add can you edit the ones there? Or do you have to like clone and and create you the ones you can edit them all in here You can add them directly obviously recommend copying them instead of editing them just you can also Yeah, you can you can turn them off right Garbage them disable policy right so that's pretty much all you Um and then so you take the defaults edit them the the best thing about exporting is if you have one have two different UIs so you have like a ton of different clusters or maybe maybe you have database specific clusters and then you know your Uh state stateless applications and you like to separate them whatever the use cases It might be useful to basically pull the the rules and then um if anything ever happens because you've created all these Very unique policies and you need to go and We can figure it you have them all in json. You can just go and hey Take this and then all the policies will pop pop back up sort of your Your redundancy and a rock ctl does automatic will rock ctl if you call it will back up the database and back up the policies nice If you you can automate that or you can do it Directly and export all the uh the policies that you set up nice So here someone has a question. I don't know what what it means, but I'll answer it here It says well red hat has future. I think red always have a future. So yeah I think the answer is yes It's been one of those days. Hey, yeah, I was like christy look like you're over the day or Been a weird week. So it's been a weird week. It like if folks if you haven't heard I I've I've I've turned in my resignation my day My last day is the 18th. So like this is potentially my last stream Yeah, this is uh, uh, so your last your last voyage, right? Yeah, uh, thanks for thanks for making this day super weird for me I appreciate it So, uh, yeah, that's this is um So, um, I don't know if you wanted to show anything the last, you know, eight minutes that we have here in the last few minutes here, um I don't know if you want to show anything or like if you want to you know, talk about where people can learn more about acs or Where they can find, uh, you know more More information more, uh, something to read something to watch Yeah, I'm open shift, uh has the the trial and you can demo, uh, acs for Free I believe through the operator I'm just going to pull it up if if you have open shift the operators up there feel free to to test out advanced cluster security Um, if if you uh, have the time honestly, it's it's worth it just to install it and see what's going on in your cluster and There's there's nothing enforcing right because we when you install it, it's just information Which you know it doesn't hurt to try just yeah, so when you install the secure cluster services There are three components, which is the scanner the collector and there's the admission controller settings so Basically just listens and you can have it so that there's a enforcement mechanism as well Nice If I go over to stack rocks So for the the documentation everything's up online if you want to check it out, uh You want to get started with rock ctl you can download it as well It's it's all there backup restoring upgrading Operating building it to see eye pipelines everything you need is in the docs and from And there's there's a community site as well Stack rocks is going to be an or h acs is going to be open sourced um in The future i'm not sure exactly what the timeline is But there's a community site for announcements as well stack rocks.io, which i'm pretty happy about because the name Gets to stay around. Yeah Pretty awesome. Now it'll be the open source Uh name right the upstream for acs is stack rocks and also there is a slack channel So if you are on the cnc of slack, there is a stack rocks slack channel there that you could looks like wall leads on there By the way, i'm looking at it right out chris while lead is there so our our biggest man here I guarantee he's everywhere. Yeah. Well, yeah I'm actually I went to the stack rocks a section right now and his name popped up like hey, I know that guy So, yeah, so there's another if you're in the um here i'll i'll copy and paste the link here um in the chat so um cnc and cnc f slack so not not only is stack rocks on there actually the argo cd folks are on there So if you're um you have questions about argo cd Um all the engineers and all the community members are there as well. So um and the get-ups working group is there So it's not just that shocking. Yeah Stacking rocks is one of my favorite zen games. By the way, so a slight tangent Slight tangent like as it has nothing to do with anything, right? So I play uh assassin's creed vahala And there is a stacking rocks. I guess The side game and it's like it is like the worst thing it's like the most frustrating thing for me because my rocks keep falling I'm glad I stopped playing that game like yeah within the first couple missions. Yeah Well, like for like the the the ocd person to me like I need to finish every little icon on the screen and it's like No, I hear you right like It's like I put in the game I started playing and I was like there's a lot of Many crap that I don't like in this game and just completely set aside. Yeah, it's it's a terrible mini game But then like I'm sitting there for like, you know 40 minutes, of course because you're like Yeah, I gotta cross off this one thing and I'll be complete Yeah, and it's and I'm sitting there. It's like the actual mission took me like 10 minutes But like 40 minutes to stack the rocks, but anyways, um, we'll put you on uh, we'll take your ocd And we'll put it against fixing all these cvs. Yes, that's right. Yeah I need to go through and like knock off a lot of the see us that way If I put all these cvs on a Assassins creed map, would you then? Yeah, let's see. I would knock them out one at a time. Yes, exactly I would I definitely would that that'd be away from That's a good way for me to fix these So there we go Um, so is there any any other questions here guys? Um, if not Um, I think we're almost yeah, we're almost out of time. We're at the hour a minute left. Yeah, okay So if there's no any other questions um We can uh, we can sign off here. I um Again, this is chris short's last get off sky to the galaxy. I uh, you'll again Probably heard this a thousand times. You'll be sorely missed. This is your last uh, uh last voyage going toward the galaxy, but um You know, I'm not going far. So you're not going far. I'll see you next week at the uh at cube con um and You know, I guess the the search is on for my co-captain. I guess for my from the next co-captain here at uh, um On the stream here. So yeah, you got a candidate. Maybe right there. That's right. That's right. I got I got candidate I I'll I'll maybe do like they like they're doing at jeopardy, right? I'll I'll test out a few They get a competition right you have a get-offs games little Who can build the best pipeline? Yes, exactly. Right. Yeah, exactly. So who can uh, um, maybe I'll have tryouts, right? So this this week's uh Test can't and then we'll have get up in the the squid games hood. That's right. Oh, you've been eliminated You've been eliminated. Nope. That's and then we'll we'll take off. So anyways, um, thank you Mike for coming on showing us seven rocks Um, it's uh, it was it was fun. You made me a fan of You know, right saw it for the first time a couple weeks ago So a lot of the times you get bogged down in your own little world and you can't really like, you know Once you start seeing other stuff that um, the community is doing and you know, stuff that red hats doing it Oh, that's really cool. That's a really cool piece of software and that's um What one of the things that I thought of so um, yeah cool So There's no more questions in the chat. So I think we're good. Yeah. No, uh, You'll be back in two weeks with some more fun Yeah, I'll be back in two weeks. I'll I guess I'll figure out the streaming thing. Hopefully by then We'll see you might get some slack messages chris On it's gonna be busy week next week If you're busy, that's right Cube con chris, uh, I'm gonna I'm gonna he'll be here. So I'll I'll pull you aside chris and say show me how to do this That might actually be the best way That might be the best way so we'll see All right, cool Michael we have a meeting tomorrow. So I'll see you then but yeah christian. I'll catch you and I'll lay on saturday Or whenever yeah, whenever we'll see it. Yeah, yeah All right, take it easy out and stay safe out there folks. And yes, please find me if you're going to cube con I definitely want to uh, yeah, I'll be there too. So meet you and yeah Christian and I will be around Thanks, everybody. Take it easy. Stay safe out there Cheers