0:00 Intro

1:53 Hello? I'm so confused. Hold on a second, please. Professional stream going on here. You know, during the intro, I heard my intro music playing over the top of itself and it was very much confusing myself to the point where I muted it because I was concerned that it was playing twice. I then proceeded to ask my guest if he had the YouTube page open and I guess what? It was me. So I was listening to my intro video while trying to talk to you and introduce the show and now I feel like an absolute ass. However,

2:35 we're gonna get things kicked off today because things go wrong all the time and it's usually my fault as I always always say on the stream. So today oh, hello. Welcome back to the Rawkode Academy. My name is David Flanagan. You will know me as Rawkode. And today we are taking a look at Kubescape. It is a Kubernetes open source tool providing multi cloud Kubernetes single pane of glass. As we see in the title graphic, we're going to show you how to secure your clusters like the NSA. Now, as you can tell by my mistakes in

3:03 Introducing the Guest: Ben from Armelsec

3:05 the first minus thirty seconds of the show, I am not smart enough to guide us through this today. However, we are joined by someone who is. So let me please introduce our guest, Ben from Armelsec. Hey, man. How's it going? Hi. Hi, David. Thanks for having me. See, you must be feeling very confident now that I've made all the mistakes in the first ten seconds. Right? That takes the pressure off. Yeah. Well, that's just just the beginning of the show. You will see my mistakes in a few minutes. Alright. Awesome. Well, thank you so much for

3:15 Introducing Ben

3:33 joining us today. And for anyone who's not familiar with you, doesn't follow you on Twitter, can you share a little bit of information about Ben? So yeah. Okay. I will try to keep it short. Okay. So I'm a cybersecurity veteran, okay, coming into the cloud native space, like, few for a few years now. Mostly, you know, we're working in ARMOR, which is a startup we've founded two years ago. We're working on Kubernetes security and improving the security of applications in Kubernetes. And what I can I can tell you by myself that I'm the VP engineering here?

3:41 Guest Background

4:15 But, you know, as a small startup, you most of the things you are doing, you're you're doing everything. So you're also washing the dishes at the office and everything. So I'm a father of beyond the time, I'm a father of four, and I love to play chess. Awesome. Thank you for sharing all that with us. I always like to ask a question where we have security focused people on, and it's is Kubernetes secure by default? What's your opinions on that? So, actually, this is really good question. Okay? I know that you're you've asked someone else, but,

4:35 Discussion: Is Kubernetes Secure by Default?

4:50 you know, this is something always first of all, I'm a fan. Okay? So of your show. And and Kubernetes, I have to tell tell you that one of the most interesting things about Kubernetes that Kubernetes really gave the people behind Kubernetes gave a real thought of security. Okay? And and this not this this doesn't mean that that Kubernetes is secured by itself, okay, because there is nothing which is secured by itself today. But but I really do think that many things, okay, for many years, okay, which, you know, we've been laughing at different technologies. Okay. Web servers, CGI bins, if you remember,

5:34 and stuff like that. Okay. That's how funny was that how they didn't thought of security from the beginning or not just from the beginning, in the middle either. But but in Kubernetes, they really gave it serious thought and many things are in there. This doesn't mean that everything is fine, but this is really good. I mean, it's it's really great to work with Kubernetes because you feel that really the thought is there and and the good start is there. Yeah. Definitely. 100%. I think, you know, when people talk to me, they're making typically, they're migrating to Kubernetes,

6:03 What is Kubescape

6:10 and they're doing that with security is one of those tenants that they really hope to get because, hey, it's it's in a container. Right? Like, what bad things can happen And I schedule everything in containers. But as with all tools, every tool in the world is that it's easy to go down a path of misconfiguration and breaking stuff, or even just done right ignoring best practices and going into the security context and going wild on it, right? Like, it all comes down to individual users. And I think that's why I'm really excited to kind of introduce people to Kubescape today because

6:37 it's going to bring a lot of these misconfigurations and bad practices front and center and show people like, maybe you need to look at why you're doing this and maybe there's a better way to it. So can you I've said Kubescape, like, three times now, so we might as well tell people what it is. Could you give us the the description of what is Kubescape, please? So Kubescape is our open source project. Okay? We've we started, like, in the last summer, which is a tool scanning your cluster against misconfigurations at the beginning. And and not just saying in the beginning, okay, because

6:51 What is Kubescape? (Definition and Purpose)

7:15 we have a long way to go and we have many exciting things going on. But the really, really basic is checking your cluster and checking your YAML files and Helm charts before deployment, checking them against the best practices security best practices. And we've you mentioned NSA and and really NSA was was a really good starting point for us. Okay? Because, you know, NSA CISA framework was released somewhere in August, I think, where actually, you know, NSA, you know, created this great document. Okay? It's telling people what is the what can be the problems with with the Kubernetes misconfigurations

7:35 Kubescape Frameworks (NSA/CISA)

8:00 and and, you know, we created a a standard, okay, practical standard. And and I'm telling practical because because many of you might know that there are many other p standards like PCI, SOC two, and stuff like that, are giving you very, very high level, you know, ideas, okay, of what should be the goal, but doesn't give, you know for us engineers, they they don't really give, you know, explicit, you know, instructions what to actually do with it. And NSA, I think they took this to the next level because they actually told you things like, guys,

8:41 okay, encrypt your etcd, okay, which is, you know, it's something that the engineer can do with it. Okay? So and and we created Kubescape around this framework. And, literally, we sold, you know, the very very big early success came with it, and we added more more frameworks around the cubescape ever since. And and it's really we got I cannot, you know, emphasis it enough. We got a huge love back, okay, from the from the community. And and we really got awesome feedback, okay, on on how people are using this tool and how they it helps them to find their

9:06 Community Feedback

9:26 security issues even, you know, before, but also within the cluster, and how this can the this improves their security posture. Awesome. Yeah. I I I can understand why there's a lot of love for Kubescape. Haven't been playing with it and poking at it over the last kinda couple of weeks. Like, I'm really excited to dive into it more and and share that with everybody. So yeah. Definitely. We do have our first question from Mozz. So, if you are watching us live, we do encourage questions. Please get them into the chat, we'll do our best to answer them.

9:54 Q&A: Adopting Cloud Native Security

9:59 Mozz, your question is very generic and I'll give Ben the opportunity to answer it. But if you want to, you know, follow-up with maybe a few more specifics about what your friends are struggling with, that would be great. But most does ask, many of my cybersecurity friends are struggling to adopt Kubernetes and cloud native. Do you have any advice for them? Wow. That that is great. I waved net there. But Yeah. Yeah. So I I think I understand where most is coming from, and and this has been, I think, that that many of us see. Okay? And it it's it's

10:31 Mindset Shift for Cloud Native Security

10:35 really coming from the, you know, the big not just pressure, but but the big scape of of, you know, landscape of of things today's cybersecurity persona needs to look into today. And, really, you know, once we had, you know, VMs and blades and, you know, we know knew how to set up a firewall and stuff like that, and and and these systems are still living. Okay? And and security person needs to really go into take more on himself and learn other things like cloud native not cloud. Okay. Not just cloud native, but cloud cloud native, and then

11:13 Kubernetes. And and and I think that that really there is no easy solution. Okay? I think that the most of cyber most cybersecurity friends, I'm pretty sure that we are great professionals, and and they have all the basics. And simply they have to take a few you know, take their time and learn it. Okay? And and this I think that especially Kubernetes and cloud native, they they have a wonderful community with with really people who are ready to answer questions and and many, many places where you have resources and, you know, you cannot cheat it. You have to dive

11:57 in Yeah. To death. Yeah. That's I think that's probably one of the most important things, I think. Like, when you're talking about, you know, most of them, they're struggling with this. Right? I mean, the wrong answer is to go on your own and try and do something bespoke because you think it's safer and secure. Like, herd mentality here is really important. We have so many active organizations and people promoting best practices in the cloud data space that you want to go on with them and standing on the shoulders of everyone else that's doing the hard work upfront.

12:00 Cloud data security

12:27 And I think we're in a really exciting time now in the cloud data space where there has been a big push on security. You know, we've got Armorsec pushing Kubescape, we've got chain guard doing all the image signing stuff with cosign. Like, we're never been in such a fortunate position. I mean, you think back to Kubernetes in 2037, '20 '18, like, wow, that was that was scary. Where we are now, I think people should be excited, hopefully. I I I feel that should be excited. Yeah. It's completely and and and I think and really, you know, just just there there

12:59 is something okay, I want to mention something that came into my mind just, you know, after my answer. That yeah. But but because because if you take if you, you know, think about, you know, all the progress we made, okay, in the in the last, you know, five to ten years. Okay? And the call then the whole adoption of infrastructure as a code. Okay? I think that that there is really a new mindset, okay, for security personals. Okay? They have to adopt. Okay? Because, you know, the secrets in Kubernetes are not coming from, you know, I don't know, from

13:39 just from the air. Okay? They are coming from a Git repo. They are coming from from a script, okay, which is, you know, which is stored in some some kind of a bucket. Okay? Either it's the kit or or or something else. And and and this is not the time where where we went through with our USB, you know, drives and and started to distribute keys in the blades. So, yeah, this is also a change of mindset, not just, you know, technicality. Yeah. 100%. I sometimes look back at some of the things I used to do to distribute keys

14:13 and secrets and I'm just absolutely ashamed. Yeah. Alright. Thank you. So thank you for that question, boss. Hopefully, that helps. If you have anything more specific, please drop it into the chat. And we have a hey from Joshua. Hey, Joshua. Thank you for joining us. Alright. Ben, you're gonna guide us through a look at Kubescape today. So if you can get your screen share ready, we'll pop over there and then we'll show the audience how cool this is. Okay. Wait a second. I'm just also, I need my technical half minute here. Yeah. Take all the time

14:30 Starting the Hands-on Demo

14:48 you need. No rush. Yeah. So so I don't know if you see my screen. Let me pull that up now. We can. We see a terminal, and you're typing. Awesome. So yeah, so we are in terminal. I think this is the best place we can be. Okay. So I just wanted to, you know, really to give you an intro for those who care about cubescape who haven't heard or or you're newbies for us. So, again, you can find us in GitHub or most of cubescape. You can see here our project. Now within Project OKA, as I told you, the

15:01 Kubescape CLI Demo: Scanning a Cluster

15:41 simplest, you know, to start with Kubescape is is simply installing our CLI tool. So our CLI Kubescape is, like, is, by default, package is a CLI tool. And what it does is it scans your either your your your cluster or your YAML files or Helm charts and looks for security issues within. So we talked about before that that that we came from the world of what we of NSA. So what I meant by this is that we call we are organizing our what we call controls, which are some something like tests. We are organizing them into frameworks. Okay? So

16:24 think about it as groups. Okay? And and we have this NSA framework containing multiple tests or controls as well. But we have other different frameworks like we have the Microsoft Mitra framework which is another another approach, okay, other set of of tests which was prepared from this every security research team of Microsoft and and other sets which I will show you later. And what you can do is simply, you know, download Kubescape with a single liner here. You can copy paste just as you saw it before and and, you know, install it. So right now,

17:05 Kubescape Scan

17:10 okay, we have more than one kind of of application packaging of Kubescape. One is what you saw right now, the CLI tool. And later, I will if we'll have time, I will show also that we can install it as a cluster component. But the simplest thing, okay, you can do with Kubescape is simply write cubescape scan. Okay. And then what cubescape does is it connects the cube API from the current context, which is configured, and simply looks into your your configurations, your Kubernetes object, and and test them against different tests. So in this case, okay, if you this is

17:55 Interpreting CLI Scan Results and Risk Score

17:57 what it took to run the whole test. It was it was, you know you can see that it was less than a minute. And you can see a list of of different tests we've ran here, which we again, what we call test is in our language is called controls. And for example okay. I can bring for example, here one test called container host port. So I'm telling you right now that container host port is a a control which checks whether, the host port was defined for for a given deployment or workload. And you can see that there is a

18:39 single resource which failed this, this best practice out of 19. And based on these results, okay, we are we are computing, you know, an aggregated risk score of your cluster, which in my case, I just installed a Minikube here with with with the Hipster shop application where I developed and made some, you know, security big no nos order to be able to show you some of the good things. But just going back to the what is the output of the CLI is so, for example, there is another control called, writable host pass mount. Okay? So it means

19:15 Hostpass Mount

19:23 that it is a it is really bad practice from a security perspective to to mount host pass and and and also not just to mount host, but even to enable writing to that host path. So in this case, we found, you know, four workloads. Like, we found Kubescape proxy uses host pass now. Okay. We see that ETC is using it, Kubescape controller manager, and storage provisioner. So it's it's you're asking yourself, like, That's a little bit strange. Okay? Because these are these are Kubernetes components. Okay? And why I'm complaining why Kubescape is complaining about Kubernetes components.

20:07 And it's a it this is a, you know, this is an approach we took at the beginning. Okay? Because, you know, sometimes in security, okay, I think best approach is not to hide things, okay, even though they are related to the system you're working in. So in the in our case, really, the Kubescape proxy requires a host path to be, mounted. Okay? Otherwise, in Minikube, it will work. Okay? But on the other hand, the control needs to list it, okay, because still this is this can be in some in some context, they this can become an

20:46 attack vector. Okay? A theoretical attack vector. Therefore, we are listing it. The the we'll talk about a little bit later what we are going to do with it. Okay? Because in Kubescape, it's very important for not just to show you, you know, to drive results, but also to to help you to work with them and work your solve your issues. So we'll get back to it, but I'm looking here back to other other controls, other tests we've we've run here. I want to bring you, you know, something more interesting. Look. So we have this control

21:20 called privileged container, okay, which is one of the most basic checks, you know, in the I think some of you already smiling, I feel, here because this is one of the most basic tests, okay, on any security posture tool, okay, checking whether you have privileged containers or not in your environment. So in this case, you can see that that, there is a deployment in the Hipster Shop namespace called recommendation service, which, again, for for the sake of, you know, demonstrating the capabilities, okay, I've made it to a privileged container. Any questions? Just Yeah. David, do you want to answer? Yeah.

22:00 Risk Calculation

22:01 Yeah. We have one question on the chat, but I'm gonna be selfish and ask my own question first. If you just go back down to your table, you listed you present a bunch of risk percentage scores, and I was curious if you could help us interpret those. Sorry? About what? So it says, like, we have a risk score on the table of a % skipped 94, and does I don't know if those correlate to the framework risks, which seem to be in yellow above it. So so yeah. Okay. Yeah. So very good question. So we have

22:35 and we have a a very differentiated risk score calculation. Okay? So we what you see here, the risk score here means, actually, you know, the the the percent of of failed resources on a given test. Okay? So in this case, you have you see that access container service account. Okay. This means that the the container has access to the service account token. Out of 41 workloads, 41 of them has access to the service account token. Okay? This means that % have failed. Okay? Yeah. But for, for example, let's take something with zero and interesting enough

23:16 here. I think that in this case, the access Kubernetes dashboard is not really interesting from our point of view because we don't have Kubernetes dashboard. But, for example, both in default namespaces. Great. So in general, okay, this is best practice not to put pods in the default namespace. And as, you know, as of all the pods in my cluster, okay, none of them are in the default names. Therefore, there is a risk of zero here. And the correlation, okay, with this framework risk, okay, which you can see that you can see here, I have third 34

23:57 dot 97% risk score of NSA. So it's a little bit more complex. It's not just a simple percent, Jeff, of the calculation. Okay? Because I would be happy, by the way, to point you to documentation, but we don't have it here about this calculation method. But I will try to explain you and prevent you from going into the code and reading it yourself. But the idea is is as following. Okay? So we are trying to calculate risk. Okay? Accumulative aggregated risk for the whole, for framework, for whole cluster based on what is the first potential outcome.

24:35 Okay? So, for example, if you have, like, control a and b and and you have five resources for each, so we are creating a a hundred a score of % in case that every every resource on every, every of these controls is, is failing potentially. Okay? And also adding, you know, adding to the, to the equation also the level of the given control, how the severity of of the given control. So, for example, privileged container has, relatively high, risk, okay, and high, severity. On the other hand, I don't know let's take okay. Cluster return networking has a

25:24 medium severity. So we are adding to the to the calculation all these, you know, things and and creating this cumulative score. Okay? And, again, we are taking the worst case based on your cluster if all the controls are failing on all the resources, the the and this is the worst case scenario. So related to this, where are you on this scale? And, yeah, I hope I hope I could explain it. Yeah. That definitely helps. Thank you very much. Alright. Joshua's question from the chat. Joshua asked, is Kubescape able to run on managed Kubernetes solutions like EKS and GKE? Because

26:01 Q&A: Support for Managed Kubernetes (EKS, GKE)

26:08 some other security tools won't or are not able to run since there's no, I guess, unrestricted access to the control plane. Yep. So definitely. So the answer is yes. Kubescape as a CLI tool is running today. We we did some, you know, statistics on how many people are running, and we are seeing some of the something like 30 to 40,000 run Kubescapes runs a week. And and and major most of those clusters are are managed Kubernetes clusters. So they're like, as it's all just said, EKS, GKE, AKS clusters and also OpenShift and and the DigitalOcean

26:57 clusters. Actually, Kubescape by default, it only uses the Kube API and from any anywhere where you have access to the Kube API. And and right now, you know, I have in this console, I have access to the Kube API, and I have I have the authentication credentials to if Kubescape can access the Kube API, it's it's it can scan your cluster. Awesome. Thank you. Alright. So go back to your demo. Yeah. So just, you know, I wanted to show you, and I hope that I have it here. Yeah. So I have this YAML file, okay, because which

27:30 Kubescape CLI Demo: Scanning YAML Files

27:38 is, you know, actually I hope I have to w get here. Yeah. So so what I wanted to show you that just as I scanned, you know, the cluster, I can take my YAML file also. Okay? Before I'm I'm deploying before before I'm deploying it to to the cluster, I can also scan it to not just the Kubescape API. So and it I think it's it was a, you know, it was a really important decision for us, okay, from a way we've designed this architecture, okay, and the way we designed this whole whole project to be to give an answer, not just

28:20 actual deployment and monitoring a a a part of the things, but also what do you want to do beforehand, how do you want to prevent things, okay, going into your production. And, you know, I just run the scan on the YAML file, and you can see that I got the same table. Okay? So some of the controls are skipped because they are they are simply not relevant. They don't have inputs to those things because the YAML files doesn't doesn't contain relevant Kubernetes object. But, for example, I can already see, okay, that, again, that I have here a a component

28:57 of workload which has host IPC privileges. Okay? And this means that one of the workloads out of the 12 workloads which I had this and in the CML file is already failing here. Okay? So, for example, if if I'm, you know for example, for our production our own production c a c c d, k, we we already use Kubescape in the delivery pipes and already looking into the things before they get to the production environment and stopping pipes, okay, from delivering, you know, problematic things like, in this case, this privileged container. It is the very same privileged container

29:37 you saw before in the cluster itself. So if you're thinking about, you know, a a a a development process and not just, you know, want to understand what you have right now in your cluster, okay, but you also want to add Kubescape into your whole work process, okay, you can use it. Okay. We've just this week, okay, someone decided to write a GitHub action, okay, based for Kubescape, and it's we'll we'll have you know, hopefully, by next week, you'll have a a published GitHub action also, you know, facilitating this test. So you will able to add Kubescape

30:15 even easier to your pipes and your workflows, and you'll be able to prevent, you know, security misconfigurations even before. I'm curious about what, you know, what a production pipeline might look like here. So, you showed how Kubescape can reach the API server and do it in cluster stuff. We've also got the ability to run it at, like, GitHub action context to prevent things ever getting to the cluster. I mean, should the GitHub action be able to block and deploy? Is that something that we would encourage for certain profiles or controls? And the end cluster stuff, is that something

30:40 Shifting Left and VS Code Extension

30:54 that we should be running regularly? Is it something we run all the time or just daily? Like, what would what would you suggest? So definitely okay. So I'm, you know, today, I'm here, you know, as on the on one hand, you know, my heart is going for the security and and and cloud native community and development. But on the other hand, I also, you know, have I also VP engineering of of of a company. Right? And and and this means that I need to monitor our flows and understand, okay, how to make them better, how to make our our our,

31:33 you know, our processes better. And, you know, the the the idea of shifting left, okay, stopping things, stopping problems, catching problems, you know, very, very early, you know, is is is really important. Okay? And and and we are really, really committed, not just, you know, you know, we are not just talking to the top, we are trying to walk the walk, you know. Right? So we really mean that we want to integrate and bring this information as early as we can. And while I'm talking, although this is relatively new machine, I'm trying to show you the same thing

32:12 even to make it more even interesting in in Visual Studio Code. So so we also released Kubescape Visual Studio extension. And the reason for that, again, I'm installing here, and this is live demo, so please, guys, please give me, you know, just Slack because hope it will work because I haven't tried it right now before. So what we really try to see, okay, to make sure that that that all these things are, you know, are will, you know, coming with you from the very point of time where you start to write your YAML fry files. You, you know, you

33:06 wrote wrote your, you know, your your Helm chart and stuff. Okay? And and going into the direction of of your, you know, dev and and staging a production systems. And and, you know what, just let's see, okay, if it works. Okay. So, hopefully, you can yeah. The scanning is scanning is working, but it should also show me show up also during yeah. As you can see here Oh, nice. Okay. So you can already see here that I'm already catching these issues right in your editor. So I mean, sorry. Not I. Okay? We are catching your issues.

33:51 Sorry. But but but, really, you know, the the point is here, okay, that to answer your question that, yeah, there's no question, okay, that you need to scan your your production systems and monitor that. Okay? And maybe, you know, when when we are, as engineers, are are dealing with security requirements from your our chief security officer in in your organization or or, you know, you simply need to provide some input to your your compliance preferred compliance type, you know, you need to bring in information. You need to scan your cluster. Okay? Because this is actually what you've what you

34:33 have. But but from a configuration perspective, I do believe I do believe that most very most of things that can that can be caught before needs to be caught before. Okay? Yep. It's real and I think it's really, really important. Also, from a security perspective, so you will have security issues, okay, if your clusters. Second is that, yeah, it is way harder, okay, to find these issues, you know, far from you as a developer and find them in in the production system. Okay? And you you the access to that, and you start to scan until you understand

35:09 how it works instead of, you know, seeing it within your, you know, your your development environment. Yeah. I'm gonna follow-up with one thing there, but I just wanna Avanash said hello in the chat and then Avanash followed up with, hey. I'm also the person working on the GitHub action. So nice work, Avanash. Yeah. Yeah. This is the great guy I was talking about. What I I like what what I really resonate with about what you said there is that we cannot really frustrating position in Kubernetes land. Right? Like, the Kubernetes maintainers and contributors made this decision to deprecate

35:17 Adding a frustrating position in Kubescape

35:46 pod security policies. The past that they pushed everybody down was, well, you should be using Kiverno or some other in cluster tools to do mutate and admission and validate and admission where you don't really know there's a problem until kubectl apply or your get ops operator starts failing. And by that point, you're like, oh, right. Well, what what have I got to do to get this into my cluster? Right? I wanna be able to deploy it. And like the Kubescape comes at it with a multitude of angles, but the most important one being, can I scan this at pull request

36:16 time, get something that tells me, hey, this isn't actually gonna be admitted to the cluster because of all these things? And then you can fix them as part of the pull request process. It makes things a bit easier for new developers or people that aren't that familiar with this ecosystem and tool chain completely. Now, of course, you should still have validated mission controllers to block bad things again in your cluster, But for the developer's perspective, you're right. We have to make this easier for them to learn these constraints and controls and how to write better manifest.

36:47 The line of problem in Kubescape

36:48 Yeah. Completely. And and beyond that, okay, I what I want to show you that I don't know if you noticed, okay, in this case and but, okay, we are this is something, okay, that we we also added pretty recently, okay, that as you see that I'm not just saying that you have an issue within your deployment. Okay? And but, also, I can point you to the the specific line of of of of of problem. Okay? So I can explain you that, okay. And and and it connects you to to to what you said about the pull request,

37:23 okay, and and improving your, you know, pull pull requests and and and also, obviously, you know, action he's preparing. Okay? GitHub action is is preparing that that we really see this as part of a of a whole process. Okay? So to to catch the things and showing you, okay, that that, you know, this is the line of problem. Okay? This is this is what you need to check or this is not what you need to say that, well, it's okay. But but you need to, you know, create an exception, and we'll talk about it in a

37:58 minute. What is an exception for us? Awesome. So Do you see a feature for this? Like, I've now got I've got feature requests for you. So Awesome. Like, I want a little light bulb in Versus Code to show up and actually just fix it for me. Just remediation like, hey, you should just set this to false or hit there. You can modify your service to be cluster IP and, like, be able to guide people through how to make this better. Yeah. So I know it's it looks like we have, you know, premiitated these questions, but actually, you

38:35 know, we have some time. And, yeah, this is this is something, you know, we are we are working as right now. We are also to the which if you know, we are again, within the engineers, okay, what we needed to do in order to have these highlights, okay, is actually telling you, okay, which, you know, part of the YAML file, which, you know, which fields or fields are are related to this problem. And what you're saying is not just, you know, not just saying that, okay, the here is the problem, but what the actual remediation

39:06 is for this problem? And and this is right now, it's we are working on this today, more or less. Awesome. And hopeful and hopefully, you know, I don't know when we'll have the light bulb, okay, because, you know, we have to edit also to the to the extension here, but but the information will be there. And, you know, this whole the Kubescape is, you know, is is very, transparent. Okay? And and, you know, the same output we are we are generating here, you know, can be taken, integrated into any other tool. Okay? And but I wanted to tell you that this

39:42 information is there, and also the fixed information is what with the live op is going to be there. So Awesome. Hopefully, really soon, we will have Alright. We got a couple more comments there. So we have a child from John Luca. You may have gone. Long time no see. Mozz is in with another great question. Mozz is curious if there are any plans for Kubescape. Now he's asked if you're gonna create your own admission controller, but I'm curious if you plan to do that or whether provide policies for existing admission controllers. Is that something that you've thought So,

40:00 Q&A: Admission Controllers and Policies (OPA/Rego)

40:14 yeah, we are we are thinking about it really hard, okay, because really the you know, we haven't talked about it yet, but I don't know if you guys are into it. Okay? I will be happy to talk about the controls themselves, which are they are written in in in Rego, and and Kubescape was built on on Opa engine. Yeah. Okay? So which is we love it, and it's it's a great tool. And as of as you can see today, we have a big set of of controls and tests around it. And we really think we are giving you

40:48 trying to understand, okay, what will take us to to create an admission control. And, you know, I I think that this is not really the, really, the question of really the technicality of, you know, of implementing the admission control API. But, really, we are trying to create an open source project which is, you know, which is useful. And, you know, having this full integration with our with our Ragos and and rules and controls together, you know, with Kubescape and this and the the GitHub action and the and the Versus Code. And together, okay, we have

41:23 an admission control. I think that we are we're giving it a serious thought, but we want to make it right. So it's really important for us to, you know, to make something that that is is is usable and giving, you know, extra, you know, extra value, okay, for for you guys, for the whole community. Yeah. That's that's really interesting to know that it's using Opa and Regal because I guess now, probably not too difficult to take some of those policies and deploy them to be consumed by gatekeeper right off the bat and been able to then provide maybe someone in

41:57 the community is watching and thinking, well, I use Kivernal. Please go and start converting these to Kivernal policies as well. Like, we have the artifact hub and I'd love to see all of these policies available to people regardless of admission controllers. That would be awesome. Yeah. That that would be great. Really great. And and you can see that that the other Qscape project in GitHub, we have this regular library project, okay, where where actually all the controls you can see, okay, all the controls written here in in Rego and understand how you can understand how they

42:33 work. And now let's take this to for example, the privileged pod. Alright. Whatever. Or the almost the IPC privileges. So it these are simply, you know, regular structures and queries. You know, it's it's different actually, it's it's different from how a little bit how Gatekeeper implemented things because, you know, we really you know, you can see all these failed path and fixed path fixed path and all the things, you know, we've just showed you that to show how the regulars are are not just, you know, identifying the problem, but also telling you what where the problem is and how to

43:19 fix it. Therefore, they are these things that are Reggos are a little bit different. Okay? But still, you know, you can this open source project and as well with the same license, and and this is what we're using in Kubescape. So anyone who's interested to, you know, to do something with us or without us, but using this, let's say, is welcome. Awesome. Alright. We got away from Thomas Lav. I'll pop that back off, and I'll let you carry on with your demo. But this is this is really cool. I like this. I like what I'm seeing. Yeah. Yeah.

43:46 New directions

43:57 Thanks. And so this is your really what you know, Kubescape has a few new directions. Okay? And I'm also David, I hope you agree, but I'm going to use this platform also to ask for more contributions here to to join our community. But I wanted to show a a few interesting things. Okay? So as I told you before, you know, Kubescape is started from scanning your API server. Okay? So it connected the Kubernetes API, talked to the API server, you know, got all these, deployment and secret and service objects, okay, and and and, you know, told you what might wrong

44:05 Future Directions: Host, Cloud, and Vulnerability Scanning

44:40 with them. Now we understand that security is more complex, and security is way beyond, okay, only the API API server information. Okay? All the things we can all the objects we can get from the API server. And we have at least three directions, okay, we started already to go into. Okay? One is the host running the the the the Kubernetes nodes. Okay? So we've created you can see with in in in our GitHub, we've created a project called host scan host sensor, which is actually a high privileged daemon set, which we're installing during the scan on every Kubernetes node.

45:28 And it collects information from, the host, which is hosting the actual Kubernetes node. Okay? So we have access to the Linux kernel and to, and to the environment which are running to correct this node and not just the API servers and the containers from, from inside. So, for example, in this case, what where it where it can help us. Okay. So there there are different controls, okay, which can leverage this information. Okay? So, for example, I don't know if recall, I don't remember the ex exact name of the CBE vulnerability which was in the Kubelet,

46:08 like, you know, two two months ago or something or three months ago in in December. And in that case, okay, we, as Kubescape, we couldn't detect whether the actually, the hosts are vulnerable because in order to detect that, we also needed to understand what are the kernel configurations, on that host. And it's not enough to read, the Kubescape version, which is available in node objects of the API server. And, also, beyond that, we've also, looking into different, you know, other different things, okay, in in the host. For example, what is the version of, you know, of your container runtime and and stuff

46:50 like that. And and we collect this information, okay, and we leverage this information to tell you more about your security posture. Now, obviously, our host sensor itself is is a high privileged, container within the cluster. And, therefore, what we are doing, we are installing it during the run and rim right away, after we collect the information, removing it. Okay? So this is something this is a one time thing in order to to, you know, to to collect this information and and and tell you what what can be your potential security problems. We are telling you about your host,

47:30 but but this is it. Okay? And then we we we remove it right away. Also, we have gone to the direction that I'm going to open our our documentation. We've also went into the the direction of of learning more of your cluster from the cloud provider. Sorry. So so your cloud provider today, you know, and and there were this is why I think the question about whether Kubescape can scan your your managed clusters was a great question. Okay? Because on the one hand, yeah, Kubescape can scan your cluster. Okay? But on the other hand, many information in the Kubernetes parts of

48:19 the Kubernetes control plane are hidden from you where you're running a managed Kubernetes cluster. Right? So when you are you're running a GKE cluster on a EKS cluster, you can you don't see actually the API server pod. Okay? And, for example, if I'm returning here just for a second for the test results, you can see here that we have a a a control called PSP enabled. Okay? Because in general, we believe that post security policy is an important security, facility. Although, I know this is deprecated, and we are it's going to be swapped out to something even better.

48:55 But but when we we can only test whether PSPN is enabled using, the Kube API when, the API server is running as part of the Kubernetes cluster, and we can find the pod which is running the API server and look into its configuration. When it is a managed Kubernetes cluster, for example, a EKS, Okay? We don't have this information because we don't see the API server plus because it's something that AWS is taking taking care of. So in that case, okay, what we are we are doing is, actually, we are connecting we have enabled lately

49:35 in, cubescape to be able to access, the API of the Cloud vendor, detect which cluster we are running in, whether it's an EKS cluster or GK cluster, and, and and, you know, talk to the API of the cloud vendor and and find out whether PSP is enabled from the cloud vendor itself or whether ETCD encryption is is, enabled, also get the information from the cloud vendor, because this information is not available through the Kubescape API. So this is the second, you know, the second angle, second data source, okay, beyond the, beyond the host sensor I told you.

50:19 And third, which is coming out, you know, in this month, is going to be vulnerability scan. We are going to take inform vulnerability scan information of your images in your cluster and if they are available and and use them as, you know, as an additional information for writing controls, writing tests. For I'm giving you an example, and I will stop here because I need to drink something. That that for example, I I I give you a for example, you have a cluster. Okay? And and let's say that you're a very, very security conscious DevOps engineer, and you are scanning your images

51:01 for security vulnerabilities. Right? But what do you do with the results? Okay. There are different you know, there are love images with old, you know, old base images, and you have you get every week, you get a critical vulnerability. And sometimes it doesn't really help, okay, because it's, you know, it's more, you know, it's more like a fog, okay, because you have too many so many issues that you cannot, you know, you cannot prioritize by yourself. So what we're we decided to do as a practical step from Kubescape is to connect the vulnerability information with the information

51:35 we learn from the Kube API. For example, you have two two deployments. Okay. One deployment is is connected to a load balancer, you know, in case, let's say, AWS, and then it's an application load balancer. And the second deployment is an internal deployment, okay, which is not, doesn't have access from the outside world. So it's really clear that that in case that the public facing, deployment has a critical vulnerability is way more, way more critical issue than if an internal application has a critical vulnerability. So us as security, conscious, people, if we want to start to fix

52:15 Kubescape SaaS UI Overview

52:23 things, obviously, we have to start to fix with the public facing workloads. Okay? And this is what what we're going to do at, in the next step of Kubescape. We're going connect we'll update the information together with the the Kubernetes information, and we'll try to give you actionable items. Okay. Things which are you know, we are we can say to you, like, dude, this is something you have to solve now. Well, this is more important than all the others. And now I I I'm going to sip a little soda. Yep. You grab a drink. Alright. Audience, if

52:57 you have any questions I mean, we've covered a lot so far about the different integration points for Kubescape. Ben has also shared some really cool things that seem to be coming down the pipe, which I'm very excited about as well. But if you have any questions for anything that we haven't answered yet, feel free to drop them into the comments before we finish up, and we'll do our best to answer them. Alright. Feeling better, Ben? Yeah. I'm way better. So what I want to what I wanted to show you, okay, is is actually, you know, the Kubescape

53:26 hosted the SaaS version, okay, the graphical version of the results, okay, which can take to to be here with you. So you can go to portal Arlo Cloud where we are hosting, okay, our our Kubescape UI. You can sign up, you know, with your favorite social log in on this site, and you can what you can do, you can stream here your your results into this in into this environment. And, you know, I'm rerunning, you know, are the same Kubescape scan command here. Just in this case, okay, if I added my account ID, so I'm uploading it to to my to

54:11 my bucket. And, you know, I can open right now the the results here, which should be here within a minute. And and I I can monitor my cluster, you know, in a constant manner, okay, if we have used your this mini cube, which I've just set set up. In this case, then I can see, okay, all all the controls. Okay. You saw also in the CLI before. You can see here, you know, the different frameworks which we are running. You can see the niche draft framework, the NSA framework. You can see here the we have created a a framework of our

54:34 Navigating the UI & ARMOR Best Framework

54:56 own, which we call Armor Best, which is which contains, I think, the most important controls you you should be running. And, you know, what I like to do here, okay, is really, you know, just looking by severities. Okay? I I like to see, okay, my issues, and I see that there isn't there are no failed controls here. But, for example, okay, I have here a high severity issue with this privilege container. And, again, this is the same results you could see in the in the CLI. And and, you know, you can see here, actually, the

55:32 the results themselves. And and with the same in the same UI, you can get here also the same information. Okay. What is the the problem in the YAML file? Okay. You need to you need to solve here. Okay. So, again, really important, okay, to to give, you know, to to the Kubescape users, okay, information to, you know, to help solve the problems, okay, they are having in their environment. And, you know, you can also there is something, okay, I wanted to show here that I think is really important. Okay? Because if you remember, I told you that

56:03 Handling Exceptions in the UI

56:08 we we can see here two privileged containers. Right? You can see an application, okay, called recommendation service in the namespace called Hipster. Right? And and you can see here also another called Kubescape. I think the you know, although those who are viewing this stream, okay, you already know heard about this. And and it's in the Kubescape KubeSystem namespace. And and again, you can see here that, for example, in this case, we are giving the users, okay, a a light bulb, you've just asked, that for that that we are recognizing that this is usually a common failure. Okay?

56:51 This this test is usually faced because Kubescape proxy is as of today, by design, it's a privileged container. It needs to run as a privileged container. But what you can do here, okay, you can, click here or here, okay, and create what we call an exception. Okay. We can say that, well, I understand that this guy this workload have failed. But next time, I don't want to see it as a failed workload. Okay? Because because I understand I accept that this is this is how it works. Okay? And I asked this DevSecOps or DevOps engineer

57:27 running this environment. I understand that this should be like this. Okay? And I don't want this to to affect my risk score. Okay? Because I want to see my risk without that. And in this case, next time, okay, when we are going to run Kubescape, okay, we'll simply won't see, okay, this failure with the Kubescape proxy. And and the same goes okay for for other so I can create an exception for the whole namespace for a given control or only for a given workload. And and and this, you know through this, you know, we are creating a workflow for

58:02 those who are refusing clusters and and want to, you know, want to somewhat accept or or or, you know, create an exception for for for specific workloads or namespaces. Obviously, this is also supported in in within within our our CLI, just a little bit more messy to show it. So I hope you forgive me that that I show this way. Up until now, everything is okay? Yeah. Great. Very cool. I'm curious about the ARMOR best. Like, you know, this security landscape in Kubernetes is is continually evolving ecosystem. There's new CVEs all the time and new

58:29 Discussion: Minimizing Security Fatigue

58:43 security practices. Like there's a certain level of fatigue that a DevOps operator or SRE could get from trying to constantly fight all these different vulnerabilities and but but also allowing their development and their application teams to be Yeah. Productive and increasing their velocity. Like, is ARMOR best a kind of opinionated way to try and minimize that fatigue? Yeah. So yes. First of all, I I don't have good news, okay, for all those who, you know, who have fatigue. Okay? Things won't be much better. Okay? And yeah. And you're right. Okay. We are trying to, you know, get some get our,

59:23 you know not just, you know, going after, you know, the NSA and mutual recommendations, but we are trying to create our own own recommendation package. Okay? But but in in in for the static part, okay, and and I I could totally relate, you know, to your question, okay, that that we are trying to battle this this overwhelming stream of of vulnerabilities and issues and information by trying to build an open source project, okay, which which can give you enough context to actual information that you will be able to handle most of the things automatically. Okay? So

1:00:09 or at least we we are able to I'm not saying to decide everything for you as a as an SRE or DevOps engineer, but but give you the most, you know, you can have in a single plain a pane of glass. Okay. So so you have you can, you know, can make as much less time on this as, you know, as you can. Okay. And not, you know, not to relate not to stick too much around these issues. Okay. Because in in general, okay, this is really hard. It's really, really hard. Okay? And and and

1:00:42 everyone understands that the security, not just in Kubernetes. Okay? In in the modern world, security is hard for everyone. And and that but I do think that Kubernetes is is a great way, okay, and a great project, okay, which really security gives the most it can to to security minded people and and help them with that. Yeah. I guess the another way to phrase this would be if you want a secure system, just turn it off. If that's not an option, then use these tools, use the armor best as a guidance and a compass. But,

1:01:17 I think what's really important and a paraphrasing you still here, but like everybody's, it's gonna depend company to company, right? Like there is no gold star for what security posture is within your organization. You you really have to just understand what's going on in the software and then make those judgment calls yourself, I think is Yeah. Is really important for people to understand. Yeah. But but, again okay. So so, you know, think about it just a little bit for today. Okay. So today, like, I think that we had in the in the credit security community,

1:01:30 Discussion: Recent Kubernetes Vulnerabilities

1:01:52 we, like, we had two security issues in the past month. Okay? So, again, I'm I'm not good by remembering, you know, numbers. I know it's quite funny from someone who's working in this industry, But but, no, you had one big issue with Argo CD. Okay? A directory travel travel so issue, okay, which could be exploited by you know, if you have Argo CD in your environment and you are, you know, you're using some malicious chart, okay, or or, okay, to pull your your stuff from, then, you know, someone can steal data from your cluster. And the second was a container escape vulnerability

1:02:36 in the Linux kernel, which was, you know, reported more than a month ago. And in both cases okay. So these were great cases, I think, to understand, okay, that that how complex these things are because okay. First of if you don't have Argo CD in your your Kubernetes cluster, okay, then great. Okay. You are not most likely, you are not affected by this issue. Okay? But most more you know, ArgoCD is is a great tool, and and it's going into more and more clusters. So many, many people were thinking, well, I do have a vulnerable ArgoCD

1:03:13 version. What do I do now? So the next step is simply to start, on the one hand, update ArgoCD. On the other hand, you know, you have to check whether you've been as affected. Have you been what are the list of of help charts or or GitHub Git repositories you've been pulling from. And and there use it starts to be really hard, okay, because you have to go understand. If you're managing one cluster, you may be able to do even two, like, three, four, five, and and and, you know, tens or or even hundreds of of developers,

1:03:48 this can be start to become very, very, very hard. The same goes for for, you know, for the Linux kernel container escape issue. Okay? Because it was even even harder because, you know, everyone who uses Kubernetes most likely is running on Linux kernels. So Linux kernels are, you know, even more common than than ArgoCity. So you cannot say that, well, I don't have Linux kernel, therefore, I'm fine. And you start to have, you know, update your kernel, which is a pain it's a real pain. Okay? So it's it's really, really hard, Even you're when you're yet running managed clusters.

1:04:29 And and you start to to have a look at, okay, how what is the attack angle? Okay? How an attacker can get to this? And there, the privileged containers comes into the, know, into the play, okay, because privileged containers were more vulnerable to this. I can actually tell you that even if you're looking into the container landscape, okay, actually, other container orchestrators, okay, which we are right now not pulling by by their name, were less vulnerable, okay, to this container escape than actually the the Kubernetes because Kubernetes was disabling seccomp by default and and others weren't. So and this this

1:05:15 had an effect. So it's really, really hard and really, really hard to understand, you know, these all these small things. And therefore, I think that going forward, the only way we can ham handle these things and not be overwhelmed is to connect more and more information and, you know, somehow, you know, replicate, you know, the the security, you know, all those people who understand security really well and understand Kubernetes really well and and let them code this knowledge into some regular rule or something like that and enable others simply choose just to take this information and get whether they have problems

1:05:57 or get an answer, yes or no, whether they have problems or not. That's my take. Awesome. Thank you for sharing that. That was great. So another thing, okay, I wanted to show you okay. Again, live demo. I'm I'm sorry. So we have we have we have our own image scanning facility, okay, you can install in your cluster. So I'm going to for that, what we are doing is we are installing Kubescape and other Kubescape components into your cluster with Helm. And this will do two things. One is will enable you to scan your images in

1:06:39 your cluster every day. And the second thing it it does, it also scans your your Kube API just as you saw before in a constant manner. So in other words, if you like Kubescape and want to work with it in a permanent manner. Okay? And and wait a second. Do I have Helm here? What a mess. What a mess. Okay. Nice. Nice. Yeah. We we yeah. We got to this at the end. Wow. Wow. No. Yeah. On arsenal next helm is helm dash bin. Helm is actually something else. Oh, well. A dash bin. Sorry. Dash dash

1:07:30 bin. Sorry. Yeah. It may be an AUR. Do you have an AUR package manager? AUR. Oh, I I mentioned Like, yeah. Or something. Pretty pretty pretty new machine. Oh. And haven't been able to to start to set up things here. So, yeah, this is the but let let me get back, okay, because we have enough data. Okay? So let's for example, let's say we have we have installed, okay, this Helm chart, okay, in in our cluster. Okay? And you will have daily scans, okay, of the of your in this case, for example, in this G K cluster when

1:08:06 you can see the progress of your cluster day by day. And and not just that, but we're we're starting to have image vulnerability information from your cluster. So you're we are installing our our vulnerability scanner inside your system. We are scanning every every workload looking for for image vulnerabilities issues. For example, I want to see only critical problems, for example, with RCEs. And I can see that, for example, in the the same recommendation service we've seen before which had which which was a privileged component. Okay. I can see here that it also have, you know, a CV with critical vulnerabilities,

1:08:49 although it's not an RCE. Having said, it is a problem. So, again, this is something you're will relatively new. Okay? And and and we are, you know, we are still working on it and working it more interesting. But in order to for you to understand that we are adding more and more and more information input to to this system to have a more interesting, you know, results and more helpful results for you. Another thing is is our RBAC visualizer which was, you know, started as a pet project for one of us, here. And we said to ourselves, well, you know,

1:09:19 RBAC Visualizer Overview

1:09:27 guys, RBAC in Kubernetes, which is, you know, really today a a a a a part of of of, you know, of Kubernetes security because every modern cluster uses RBAC authorization for it. It it is it is great, but it's a mess. It's really hard to handle. Okay? So so what we've decided is simply, you know, create a a a, you know, a visualization for for what you have for your, you know, for, in your cluster, what you see in your Rawkode. So in this case, what you can see here, you can see here a service account, okay, called Kubesystem

1:10:08 sorry, Kubesystem default service account of the Kubesystem namespace, which is bound to the cluster admin role, okay, which is obviously, it's a pretty high privileged role, okay, in in in Kubernetes, which is actually the highest privileged role. And you can see that that also there is another group connected to the same role, okay, which is called system masters group. And they have, like, access to every resource. You can see here the asterisk. It can execute every work on every resource, okay, in this cluster. So it we can see how, actually, how the map, the mapping of

1:10:54 of the what we call the administrator is happening. Okay? But but on their hand, okay, we can start, start to, you know, your lookup more interesting thing. Okay. We can we can so that who has access to Kubernetes secrets? So we can who can do GET on on secrets. Okay? And asking who can perform. So you're getting a graph, okay, of all, the roles and cluster roles in in the environment who have access to resource secrets. Okay? You can see here that on the one hand, where is our basic, admin role. I forgot. I don't see it

1:11:04 RBAC Visualizer Demo

1:11:38 for now, but, for example, we have different roles. Let's try to layout by by type. Okay. We can see here that in the middle, we can see here all the roles, and we can see all the subjects, okay, bound to those roles here. K. We can see here that we have a a user called Kubescape controller manager because, obviously, a built in user in in in Minikube. And it has it is bound to to to this role called Kubescape controller manager, which has update, get, delete, and create authorization over Kubernetes secrets. Okay? And I don't remember if I have here something

1:12:26 more interesting, but for let's take let's take another, query. K? For example, we've made some pre built queries. For example, who can exec in into pods. Okay? Exec exec integration into pods. Okay. It's, again, it's an important thing, okay, to control. And we can see here, okay, that that the only one who can do it is the, cluster admin. So we are more or less fine. Okay? But, for example, if we've would if there was some kind of a project which which introduces its own authorizations into the system, okay, we see here many interesting things because,

1:13:08 for example, I've we've been talking with a lot of users, and they said that they started to play around, okay, with this, with this, Rawkode visualizer. And and it turned out that they found out the different RPAK and authorizations were were there in in their system, which they didn't know, know about before. So, so it's really, really important, okay, so also to know what are the kind of authorizations you are having in your system. And I RBAC Visualizer is a great great way to to start to understand, what do you have, in your environment. Yeah. I'm going to stop here also for

1:13:52 taking questions. That is the coolest and most important thing I've seen in oil, the rbag visualizer. Like, see when we're talking about exploring Kubernetes clusters. Like everything in the cluster is primarily two dimensional and kubectl get is fine. RBAC on other hand, because we've got names based objects, cluster based objects, we've the aggregation layer for doing, you know, grouping certain permissions. You can't well, at least it's very difficult to understand who has access to what they can do. Now, of course, you can use Kubescape control all through AMI and get a scope thing from an individual user, but

1:13:54 Discussion: Importance of RBAC Visualization

1:14:28 being able to look at that across an entire cluster, this visualizer is just amazing. Like, whoever built this is is just is now my new hero. This is amazing. Yeah. Yeah. I'm going to I I think that's yeah. It it it it's simply a great it's a wonder it was a wonderful idea. Okay. And and and I the credit needs to go also to, Youssef and and the team from the Ankara University who helped us to build it because they did an awesome job on this. Okay. They're coming from a fraction from the graph graph theory

1:15:02 direction, and I think that they did made a really, really great tool here. And I just switched switched to another cluster because my mini cube was pretty, you know, pretty boring. But but for example, okay, in this case, okay, you can see that in let's try who can. Let's try to pre make query. Okay. Who can exit into pods. So we found so many interesting things, for example, which Google installs. Okay. In in this case, okay, you can see that not just cluster admin has access to to executing into pods, but also there is a g k common webhooks

1:15:48 user with the cluster role g k common webhooks cluster role, which also have access to executing into into pods. And, yeah, this is this is great to understand how things are working around. Yeah. For sure. What what I like about Kubescape here, I I don't know if this is a phrase or not at this Kubernetes security industry. Kubescape seems like it's a full spectrum tool. Like, you know, we've looked at mass configuration. We've looked at image scanning. There's the RBAC visualizer, we have the integration with all these security frameworks. And it's really tackling the security thing from

1:16:10 Kubescape as a Full Spectrum Security Tool

1:16:26 all the different angles that people have to be concerned about with their Kubernetes customers. And I think that's really important. That single tool can deliver, like like you said in the the market message and and and the GitHub repository, a single pane of glass for Kubernetes. Yeah. Yeah. And and, yeah, you again, so I I you know, I'm not trying to say that we've solved all the problems. Okay? We are far from them. And we are also you know, we are we are trying to make some something really, you know, something really new and and very, very useful.

1:16:51 Call for Community Contributions

1:17:01 Okay? And, therefore, if, you know, if anyone who's here, okay, and wants, you know, be involved in the project, okay, we are welcoming you know, we have a great Discord channel. And, also, you know, our GitHub is is very, you know, busy. So, we really invite anyone who want to join us in the journey, okay, and creating this great, open source tool, to join our ranks. Alright. Should I move back over to just video mode? Are we done with the demonstration for today? Yeah. We are more than done. Yeah. Sorry. Awesome. Sweet. I'll I'll make sure

1:17:42 to include links to the Discord and the GitHub repository in the show notes. You know, we do like to encourage people. People are always watching these videos and asking how can they be involved. So it's it's great that Kubescape is is actively looking for people to come and, I guess, provide suggestions, documentation, and code and and just talk. Right? The Discord server is there for people to share their stories about security. Completely. Yeah. This is very important. Really important. I think that the feedback is sometimes I know it's, you know, it's a little bit funny to hear, but sometimes the good

1:18:13 feedback can even go further than than the actual code itself. It it can be so important to understand, okay, the how the people are using and at Kubescape and what are their problems and how they want to how we can solve another problem they haven't, you know, they have which is related or or or how did we did things wrong. Okay? Because sometimes we might, you know, we might did something which wasn't you know, we didn't it's right, and we need to fix it. So any input is where is good input. Alright. Last question for you. I forgot to

1:18:49 Q&A: Licensing and CNCF Status

1:18:49 ask during the demo because the RBAC visual issues the RBAC visualization thing just struck me as awesome. But has anything that you've shown us paid for? Is is this all free? So what everything I've shown you is free. Okay? Even our sales version is free. Okay? We have a limitation of of notes, which can be seen on the ARM website, okay, that we have a limitation of notes, okay, obviously, because we this can be a lot of data to handle for us. But but, actually, you know, it's we we Kubescape is is free, and the

1:19:28 CLI tool is free. It's going to be it's still going to be free forever. And, hopefully, you know, fingers crossed that we've submitted cubescape for CNCF sandboxing. And on the March 8, the TOC will sit on it, and, hopefully, we'll accept cubescape as a CNCF project. So we'll become a a CNCF project hopefully very soon. Well, that would be great. You have my plus one nonbinding vote for that. Alright, Ben. Awesome. Thank you for joining us today. I hope everyone has liked what the scene from Kubescape from integrating into GitHub actions to run on the command line to a very cool web

1:20:00 Conclusion and Farewell

1:20:10 UI and the amazing RBAC visualization. So go check it out, join the Discord, and be active in the GitHub. Any last words, man? No. Thank you, guys. It was great for being here. Yeah. Again, thanks. Thank you. Well, have an awesome day. Thank you for sharing that demo with us, and I'll speak to you again soon. Thank you very much. Thank you. Bye.