 Well hello everyone and welcome to another video of Red Hat OpenShift Container Platform featuring our partner Ecosystem and I am Dave Muir, Principal Solutions Architect at Red Hat. I focus on Red Hat Security ISV Ecosystem and in this video I plan to demo an integration between Synopsys Blackduck and Red Hat Advanced Cluster Management and this allows you to govern and secure your fleet of Kubernetes clusters by creating a Blackduck policy in Advanced Cluster Management to ensure that Blackduck is deployed in all your clusters so it can automatically scan, identify and monitor the open source and all container images deployed in all of your Red Hat OpenShift clusters. So in this short 10 minute video I plan to give you a solution overview of Synopsys and Red Hat Advanced Cluster Management for Kubernetes. I'll show a little bit of an architecture overview and then we'll get into a demo with Blackduck and Red Hat Advanced Cluster Management. Now this demo focuses on Synopsys Blackduck's integration with Red Hat Advanced Cluster Management. If you want to learn more and see a demo about the core concepts of the Blackduck integration with Red Hat OpenShift then you'll want to check out the Synopsys Blackduck on Red Hat OpenShift YouTube video which you'll find on this very same channel which of course is the Red Hat OpenShift YouTube channel. In that video I discussed how Synopsys fits into the Red Hat's DevSecOps framework and specifically the security methods that are integrated in the different points here on the DevOps lifecycle. As you can see Synopsys complements, Red Hat OpenShift as their technology addresses application analysis needs like static analysis, software composition analysis, interactive analysis and dynamic analysis testing as well. I also dove into the Blackduck for OpenShift architecture and how Blackduck's certified operator installs the Blackduck connector and that's responsible for scanning container images to identify security, licensing and operational risk and then retrieving the vulnerability and policy information from Blackduck to place on pods as labels and annotations. Again if you want more detail on this specific integration then please do view that Synopsys Blackduck on Red Hat OpenShift YouTube video it's only about 10 minutes just like this one. Now for this video imagine you have a fleet of more than one cluster either on prem or in the cloud maybe you have a combination of both. Well deploying the Blackduck operator and connector is very straightforward on one cluster but let's say you had 5 or 10 or 100 clusters that task starts to become a bit redundant and you can waste a lot of your time. Plus what if you wanted to know the deployment status of the operator or if any running images were in violation of a Blackduck policy I don't think you'd want to go to each 100 clusters and look at every single pod in the labels and so this is exactly what Red Hat Cluster Management and the Synopsys Blackduck integration do for you. With a pretty straightforward YAML policy you can ensure that the Blackduck operator and connectors are deployed in every cluster under management and you can see a centralized view of which clusters have images that fail Blackduck policy. Now this capability is part of the governance risk and compliance feature with Advanced Cluster Management for Kubernetes which allows you to centrally set and enforce policies for security applications and infrastructure it also allows you to prevent unintentional or malicious configuration drift. There's three other major capabilities within Advanced Cluster Management they are cluster lifecycle which I always say is the crud for clusters it allows you to create update delete Kubernetes clusters across multiple private or public clouds then there's application lifecycle which allows you to easily deploy an application as well as visualize those applications and their relationships across clusters and then you have end-to-end visibility which allows you to view system alerts, critical application metrics and overall system health. Okay so if I jump over to Red Hat OpenShift Container Platform the first thing I want to do is create a new project we'll call it Synopsys Blackduck this is where the Blackduck connector is going to be installed in through the policy that is governed by Red Hat Advanced Cluster Management. Now if I go over to Red Hat Advanced Cluster Management for Kubernetes you can see the four capabilities that I talked about previously and in this case we're going to go to Governance and Risk you can see no policies are created at the moment so I'm going to click Create Policy and what you want to do now is head on over to GitHub to the Open Dash Cluster Dash Management repo and go to the Policy Dash Collection, Community and SI System and Information Integrity folder and there you'll find the Blackduck for OpenShift Policy and you can copy and paste that but there's a couple modifications you need to make and so I'll point that out here copy and paste my version you sort of see when I copied that in some of the fields here were filled out if I go up to the top of the YAML there's three different policy checks that this YAML describes. The first one is that the Blackduck operator is installed on all the clusters you want it to be installed on. The second object definition, the second policy that's enforced is that the Blackduck connector is installed and one of the things you'll want to do here is specify which namespace you want this installed in as you saw I created Synopsis Dash Blackduck earlier and then you'll need to specify the URL and credentials for the Blackduck server that you want the scan results to go to so in this case I'm going to Red Hat hub.blackducksoftware.com and so the third policy is all about ensuring that your pods have been scanned by Blackduck and that there are no vulnerabilities we take a look at this object template you can see it's a compliance type of must have and a label on the pod that says not in violation if remember the integration details with Blackduck for OpenShift it labels pods based on the number of vulnerabilities and the number of policy violations that occur after a scan so in this case if this policy does not find this label and the value of this label is not in violation that means two things one the pod either has vulnerabilities or two if the label doesn't exist container image hasn't been scanned yet so if we take a look at the form everything is filled out for me I'm going to leave enforce if supported checked because once I create this policy it'll then begin to build the OpenShift objects like the Blackduck operator and the Blackduck for OpenShift deployment so I'll click create that's going to redirect me to the governance and risk page and I'll click policy Blackduck you can see it's not compliant right now because it didn't find the operator nor did it find the Blackduck for OpenShift deployment but if we go over to the cluster and take a look at the operators that are being created you can see the Blackduck operator just installed a few seconds ago and that has succeeded so if we go back to the status of our policy Blackduck you'll see that the Blackduck operator is compliant as well as the Blackduck connector is now compliant also because it must have installed the Blackduck connector let's take a look to see if that exists now we go to Synopsys Blackduck and go to workloads pods and there's the Blackduck for OpenShift integration with its four pods now let's see the scanner in action one thing I forgot to point out if we go back to the policy and look at the yaml and we jump down a little bit on the second definition you can see this pod processor node where it has a namespace filter that's looking at Synopsys demo so what this is telling the Blackduck connector to do is to only scan images that are in that namespace so let me create that namespace now what I want to do with Synopsys demo is add an application so I'll go ahead and port some yaml here this is just a simple image called Duckie CRM that does have some vulnerabilities so when I go ahead and create it that will start to build out the pod once a pod creation event occurs Blackduck for OpenShift grabs that event from the Kubernetes API and gets a handle to the image downloads the image into a tar file and scans the tar file and sends the results to the Blackduck server the integration then communicates with the server to get data to send back into the pod in the form of labels so if we scroll down here momentarily we should see some labels that are specific to Blackduck like the ones that just popped up right now so you can see that I've got 56 vulnerabilities these are high vulnerabilities higher critical and the overall status is in violation if you remember in the Red Hat Advanced Cluster Management Policy in the YAML we specified that that label needs to be not in violation and of course that's why we're still not compliant here with this cluster because those labels are in violation okay and if we wanted to just see the results in Blackduck itself we would head on over to your Blackduck server and log in and then you can easily find Duckie CRM by filtering by project you can go into the project itself and you'll notice 26 plus 30 is 56 those are the 56 high and critical vulnerabilities that were drumroll please add it to the label back here in OpenShift in the pod that wasn't that cool now what's even more cool is that this integration was all deployed and it's now managed through Red Hat Advanced Cluster Management and as we saw with a pretty simple YAML we're now able to deploy both the Blackduck operator and the Blackduck connector on n number of clusters regardless of their location we're also able to centrally view which clusters have either not been scanned by Blackduck or in a violation of a Blackduck policy alright I'd like to thank everyone for watching this demo of the Synopsis Blackduck integration with Red Hat Advanced Cluster Management and how you can govern and secure your fleet of clusters to learn more please head on over to RedHat.com or the software integrity pages at Synopsis.com have a great day y'all