 Hello everyone. Welcome to our talk. Today we're going to speak about security gating with Argo CD and my name is Mathias. I'm a professional barista. I'm also a fitness trainer and I'm a Kubernetes contributor and also one of the lead maintainers of Cubescape that we will talk about in this talk. Hi, my name is Laurent Rochette. I'm French as you can hear. I work for until a month ago, Codefresh and we just been acquired by Octopus Deploy. Despite my accent, I live in Arizona, so if you have trouble, Mathias can translate for you. I'm sorry, I just shattered my ankle on Sunday, so I'm going to be hoping a little bit here and there. I hope you're not high on morphine. No, I didn't took it this morning. All right, so this is our agenda for today. First, I'm going to speak about Cubescape. What is it? Then how we can integrate Cubescape into your CI CD pipeline and then Laurent. I will talk a little bit about Argo rollout, what it is for the few people, I'm sure that don't know what it is in this room, and then we'll do a demo of Cubescape used in an Argo rollout to basically block a deployment. Yes, good. So let's speak about Cubescape. So Cubescape, first of all, is a CNCF sandbox project. So my company donated it last year and we are going for incubation. So if you are using Cubescape, we will need your help, but let's talk about it at the end of the talk. So Cubescape is the only security scanner in the CNCF, and we plan on becoming like a security platform. And Cubescape helps you to see misconfigurations, vulnerabilities and security risks in your whole community clusters. It's basically a CLI tool that you run and that is very flexible. So you can have like multiple formats in and out. So you can easily integrate with rollouts or any other automation platform and perform those scans like regularly. You can also... So by default, we scan about security frameworks, the well-known ones, so Mitrease, NSA or CIS, but you can also create your own controls if you want. We aim to be lightweight and scalable, so it should be suitable for any cluster, be it only like a very small cluster that you deploy on the edge up to like very big deployments. So as a starting point, let's look at a typical CICD pipeline. So I have shown like the three main phases of this pipeline, like the development phase, the build phase and the release phase. So you have like well-known tools in there, so you have like your Git repo, your infrastructure as code, Argo CD of course, Argo rollouts, your container registry, and then how the developer interacts with all these different components. So as I told you, Cubescape is very flexible, so you can integrate it into like various parts of this CICD pipeline. So first of all, we have a VS Code plugin, so you can start taking into account security problems right in your IDE. You can also integrate inside your developer platform if you're using backstage. Then we have some steps in all the well-known CICD tools like Codefresh, Soon Octopus Deploy. Yeah, there are different tools for now, but yeah. GitHub Action, GitHub, Jenkins, whatever. And you can also like integrate Cubescape into your registry scan from the CLI. You can also have like continuous scanning if you use our Elm install to monitor all your workloads as they are like schedule in your cluster. Yeah, both of them. And we support alerting via Prometheus and alert manager through our Prometheus exporter tool. So now if you look, so this is how Cubescape can integrate into your development environment. So to start from the left, we can integrate inside your CICD. We can scan your infrastructure as code. We can scan your container registries. And this is like the Prometheus and Grafana integration. And of course, directly in cluster are either via Algorolots or even when your workloads are scheduled. So the subject of this talk is how to use Cubescape to do some gating. So if I come back to the same schema, we could put some gates at these different steps. So either before pushing to your repo or once your repo is like used to build your application or your deployments, then we can also block whenever you try to push into your production container registry. And we can also block which will be the subject of the demo when you try to deploy something that is not secure in your cluster. So let's talk a little bit about Algorolot for people who may not be familiar with it. So Algorolot is basically a controller to help with your progressive deployment. So by progressive deployment, we're talking about blue, green, canary, some kind of experimentation. Basically before you go full deployment on your production server, you want to be sure you test a little bit of your new container, of your new application. And the nice thing about Algorolot is you can do automatic rollback based on some metric or test. So it's basically a deployment. It's very similar to your deployment manifest with some strategy to decide what you want to do. And you can integrate it with ingress controller, service meshes, and you can get some metrics. And those metrics can come from different things. So basically anything with an API. So you can talk to data dog or promoters, this kind of tools. The idea is to be sure that what you deploy is sound before you finish your rollout and you deploy it to your old cluster. The only thing you can do is to use job. And that's what we're going to use in the demo. Here's the idea is to run a Kubernetes job or a workflow and to be able to do some kind of testing or run a CLI, again, to be sure that what you're deploying is not going to break your cluster. So the idea is to really, in this case for this demo, is to do a security check during the rollout. So before we deploy everything to the cluster. And so if there is a problem, you can stop it immediately. And you didn't basically open some kind of severity for your cluster or firewall or whatever you're trying to test. So that way, even at the late stage of production, you can prevent basically, in this case, kubescape to block that rollout and to be sure everything is fine. So let's see how it works in the demo. So we have an application here in in Argo CD. So as you can see, it's very simple. It's nginx that we use for our demo. So let's go look at your, not that thing, sorry about that here. So I have my manifest. I have a deployment. And so I'm going to change the version that I want to put on my cluster. So we're going to go to 1, 25.4. I'm going to save that. So that's my deployment. And here I have my rollout. And what my rollout is saying is basically put 50% of my pod with a new version and then run this scan. And the scan is basically a job that's going to run kubescape. And kubescape is going to be able to tell us, you know, if everything is fine. So I'm going to save that and go back to where is my, sorry, 1, 1. Okay, pull. So push. So I'm pushing what I know is a bad image. And so Argo CD automatically, you know, is going to notice my new manifest. And if I go to my rollout part, it should take a minute. Okay. So you can see it's thinking. My, it's deploying to my stuff. My analysis run is running. And if I go look at the log here, we are going to see that kubescape is in progress. And if you want to come in on the kubescape aspect. Yes. So as you can read from the log, kubescape is currently scanning the image of the workload that is going to be deployed. We also just before that loaded all the different security controls. And we are also analyzing the YAML of the deployment as it is being deployed. I don't want to show me the log. Oh, here we go. Okay. So what has just happened? So here you can see the result of a typical kubescape CLI scan. You can see the type of the workload, which is the deployment, the name, which namespace, and the result. So you can see there are several red crosses here, which means that some of the controls have failed. And just after the different tables, you can see the number of vulnerabilities that are present in this image, including two critical. And since we, we ran the scan with the, you had the command line somewhere. I had with the, with the high threshold of, of, uh, the severity high. Since we failed some of the high, uh, controls, we gave like, uh, an error code. And what happens then? So the, um, basically the rollout has failed. And now if I go look at my, my deployment enough, I look at my pod, you will see that I'm still on the previous version, which should be when 15, if I can find it. Yeah. So basically my, my rollout prevent, you know, that version to be deployed properly. So let's go back now and let's push. Uh, so here's a command line you were talking about. So we had put a threshold of high, uh, to be sure that we didn't deploy if, you know, we had some, some, some bad issues. So let's go to my rollout. Sorry, to my deployment. One thing. So let's go pick an image that I know is good. So same thing. Let's go push here, push on. This time we have a good image. So now let's roll the dice again. So again, Argo CD find there was some, some deployment to do. It's pushing some of the, of the new pod. And now we should have a new, uh, test here, uh, a new job to, to run the CubeScape. So again, as you can see, I, uh, now I'm testing my, my new images and I don't know why the Lord doesn't want to show me, oops, sorry, one, one. Yeah. What's happening? Live demo, nothing better. Yes. Okay. So why it's not going to the, I'm confused. It's not a Java image. Is the first one fail? I don't know why it failed. Okay. So show us the log. Oh no, what happened? So here. So now, now you can see at the end of the log that the image now looks safe. There are no vulnerabilities in there. But as I told you, we are not only looking at the vulnerabilities with CubeScape, but also looking at the posture. So in this, if, can you go back to the, to the output? Yes. I will point out, uh, which one is the high one that we failed? So the issue is, is about the first one, uh, of the node escape is the privilege escalation. So you could click on the link if you want. Which one? The C16, the, this one. Oh, okay. And then it should explain you what's wrong and what we should check. So remediation, if your application does not need it, make sure that it's set to false. So let's look at your deployment. And yeah, I forgot to change that. Yeah, change, please. It's a good day. It's a good demo. It's a good demo. Yeah. We did it on purpose. Yeah, please appreciate the actor acting. Yes. Okay. Push good image again. Yeah, you should have put like fixed privilege escalation. Okay, where is my quick sync? Synchronize. Okay, new stuff coming. I should have a new analysis run. Here we go. Okay, we're pushing. So I was able to push the same image again because basically my previous try didn't deploy it. Else, if you try to push the same image again, you know, nothing would happen. Oh, I didn't mean to do that. Let's go back here. Okay. And now, now that's good. Now we're good. Compliance result exceeds. What again? Yes. Oh, my gosh. Need to fix everything. Oh, yeah, I know the output. I think we are missing some limits as well. I use the same one. Yes. Okay. Well, show us the manifest again. So another control that is in high is not the C16. It's that you need to put like all the resources. Oh, my gosh. And I promise we really are. Yeah, no, no, no, it's the last one. Yes. Famous last word. Again, again. So next time, I will install the VS Code plugin. So you will have directly the you know, the underlying in red saying like, yes, you should fix this as well. So as you can see, Cubescape is way more efficient than we are. So no, but yeah, that's that's a good we are humans. We make mistakes. And especially if you are working with other people that are not like 100% Kubernetes experts. So it really prevents people from doing silly things. Yeah, but we're French. I thought French, you don't make mistake. No, no, we don't admit it. Oh, okay. Now it should be good. Yeah, I press the wrong button. I don't have my mouse. So it's. Yes, now it was good. Now we're good. So now if we go look at our pod that have been deployed, we should have finally the correct version. Where is my image when I'm looking at pod? No, not that one. That's not that's not my pod. That's my job. Oh, here it is. Good. Yes. Yes. Yeah, victory. Oh my gosh. Great. So now some key takeaways from this demo. Never trust a French guy, especially when there are two. I'm going to blame the drugs finally. Yes. So if you use Cubescape in all steps of your pipeline, you can make sure you are secure all the way. Yeah. And all those tools like really help you have like automatic security, streamlined, improved collaboration, whatever. And now I have a question. So was any of you new Cubescape before or are using it? Some people. Good. So now we need you. Can I have the last slide, please? And then we go to the QA. Oh, it's not updated. Okay, it's okay. So please, we are going for incubation. So if you are using Cubescape, please open a PR and put yourself in the adopters list because we need more, we need to prove that more people are using it. We know it from the telemetry data, but we need to prove to the CNCF that we are popular so we can go to the next step. So question. Yes. The analyst template. This one. Ah, yes. We will add it to the documentation, the example. And actually, since there are some steps already for, we could add like something in the Argo rollout. Probably if you can put like plugins or something. So that's a good idea. Yeah. Thank you very much. Good luck, France.