Sign Arkansas Assignment of Partnership Interest Secure

Document type sign assignment of partnership interest arkansas secure

well good afternoon good morning or good evening depending upon where you are in the world and welcome to today's DevOps comm webinar I'm Charlene O'Hanlon moderator for today's event and I welcome you as always we have a great webinar on tap but before we get started we do have a few housekeeping items we need to go over first of all today's event is being recorded so if you miss any or all of the event you will have the opportunity to access it later on following today's webinar we will be sending out an email that contains a link to access the webinar on demand and we are taking questions from the audience so if at any time during today's presentation you have a question for any of our speakers please don't wait don't hesitate just use your GoToWebinar control panel and submit your questions and we'll try to get to as many as we can near the end of today's webinar also happening at the end of today's webinar is a drawing for six $25.00 Amazon gift cards so please stick around hopefully you'll be one of our six lucky winners all right with that we'll go ahead and kick off today's webinar which is securing RedHat openshift containerized applications at enterprise scale our speakers today are bjr Ruger Akai I think I got it hopefully who has senior solutions architect is be embedded partners at Red Hat and Jodi hunt who is strategic solutions engine engineer at cyber-ark welcome gentlemen thanks so much for joining me today Vijay I know you are going to be getting us started and and I got a great presentation on tab so I'm gonna put myself on mute let's get right to it Thank You Charlene hello everybody good afternoon good morning wherever you are and thank you for taking the time to be with us on this we're at cyber-ark webinar I hope this is the first of many that we have today I'm gonna be running through the first half of the presentation and I'll pass it on to my good friend Jerry to walk us through the next half and then he also has a demo which will help us understand how cyber Arc's product and openshift work very well together so without further ado let's jump straight in so I'm gonna do a little bit of a history lesson because I love history and providing context to our conversation actually helps all of us understand what happened in the past and how it led to where we are and how it's driving us into the future so reddit currently is the world's number one provider of commercial IT products and solutions based on open source software the key term here is open source right so we are a firm believer in working with the open source community fostering what they do today looking at our customers from an industry perspective where they are want to go what could come down the lane five years from now ten years from now and how we can make that a reality by working with the open source community and then building that or bring that back to make it enterprise create products we are fortunate that we work with more than 90 percent of the fortune 500 companies they at least use one or more of reddits products and solutions in their data centers are on the public cloud environments wherever they are currently present we have definitely more than 14 15,000 employees currently and they're spread across the planet today in 100 more than hundred five offices across 40 countries what that actually means is we want to be close to where our customers are instead of our customers being pulled in to where we are we want to be working with them stay in there and also we are also the first three billion dollar open-source company in the world and we are incredibly proud of that particular achievement so this slide presents how Red Hat works with the open source community every single product that we have came from the contributions of both the open source community and the data developers who have worked with those communities to begin with fedora my dreaded Enterprise Linux came from that we took those that source code hardened it for the enterprise and made it available to our customers and partners and that same mantra has been applied to every product that we have including virtualization OpenStack shift contain a platform cloud forms ansible anything that you can take off that's exactly how we roll and anything that we acquire also gets through the open-source community and then we bring the goodness of what we had put it out there for everybody's opinion and take and then be able to take the goodness from it and take it to our customers and partners and that has not changed over the last two to three decades it stays the same and it will stay the same going forward to begin with when when like say for instance a decade ago when folks said Red Hat and even I was a party to it the first thing that comes to you is - there's a lindara Linux based company sure it still is but we are a lot more than that so as you can see with this kind of provides you a snapshot of the gamut of products we have across the spectrum from the infrastructure level to a platform level to middleware integration and even services right and very huge on those so we have products to cover every aspect of for customers or partners is development ethos and and we work to build developer tools we work to build automation and management tools so that at the end of the day when when a customer or partner uses our products they trust us in what we have done and they see the value by using our products and then do what they can do best and be successful in that business and this is a great slide which kind of goes to show like how rapidly we are developing certain products like openshift and the others but also what we have from from a broad spectrum perspective switching back to open shop which is the theme of this particular webinar open ship 4.4 is the latest release that we have which is being jeered at the end of April open shell 4.5 is slated for release in a month month and a half from now open ship for itself kind of is a paradigm shift from there open shift 3 was a lot of things changed underneath and one of the biggest changes that was made was how to make it easier for customers and partners to install the product itself so with open shoe 4.4 we have reddit's virtualization as an installer provisioned infrastructure so it makes it pretty easy to get it up and running if you already are using reddit virtualization in your data center and also as you're an open sec we have brought it on par with the latest release of open shift we've also gotten to closer to the upstream cuban aries version 1.1 aiding the current one we're at 1.17 with 4.4 and there's a host of other features that have already been g8 like the service part and the service mesh healthly support and a host of other developer features an open shift also doesn't stand in isolation just like any of our where other Redis products our storage is a key part of it and we do have products like open shift container storage which is the same release cadence as open ship container platform itself we've created a number of features our nodal and made it easier to integrate put the storage aspect and the open chef content platform itself to give you a broader view of what open shift can do it gives you a very the same experience across physical virtual or the public cloud environments wherever you want to run it it is built on top of Reddit Enterprise Linux and rel core OS again it has Cuban Ares under the hood that is the orchestration mechanism we have but it adds a lot more services on top of the vanilla Cuban it is that you find out there today with this with respect to platform services with respect to application services and B not being prescriptive of forcing a deliquent team to move to being cloud native and then being able to deploy their applications on top of OpenShift you can bring your legacy applications with few tweaks as long as it can be containerized can run on that platform and take all the goodness of the platform and then be able to be successful on and we that's why I said that we're not prescriptive watered you can take any route to wherever you want me however you want to do it but OpenShift is there to be able to help you get to where you want to go and also there's a host of other developer services and it's constantly evolving so that we want we work with the developer communities out there we see what requirements are what the need is and we always try to address that gap fill that gap with tools and and of course tooling to be able to kind of ease the burden on their lives to be able to bring newer features to their market from their application perspective and at the top is the multi cluster management that's a newer product that we have come up with which helps you manage multiple clusters of cross on-prem or public cloud infrastructure so it kind of gives you a single pane a glass of you for all of the open shipped deployments that you could have to be n into the future going back to that consistent platform theme the subscriptions for the platform the open shop container platform is the same across on-prem and public loads or even private cloud it gives you the same level of capability to do that insulation once you do either install or provision infrastructure or and use a provider provision infrastructure most of it is automated today of course there are a few differences between them but you get the same platform the same product the same feel multi-tenancy is by default it's secure by default because the cons on top of rel and rel core OS over the updates are available you can monitor and also do charge back based on how you slice and dice the namespaces across your organization and it's a pluggable architecture meaning we closely work with our partners say for instance the way they build their operators or they help charge to be able to deploy their products onto the platform successfully by reducing the effort that the end customers have to do to be able to use any of our partners Bronx and openshift is very very big on developer productivity so self self-service provisioning meaning like if a developer wants to test something he can as long as there are privileges provided he can go in and request for a namespace or a project with an open shift pull the code from SCM build it test it and throw that is environment away so that level of self-service provisioning is available with open shift again you can do C sed pipelines you can run Jenkins outside or you can run multiple Jenkins slaves to do all of your little job CSH graphs to be able to move the developer workloads across environments from dev to production configuration management with respect to config Maps and there are a host of other partner products that are available to be able to help with that and one of that is going to be key with respect to security and that's what URI is going to talk about and also a plugin and metrics and how you want to leverage that information to be able to do analysis and analytics both from infrastructure level and an application performance level those capabilities do exist everybody can run either spring apps spring boot applications Java based applications node node.js apps Python apps micro services and all of the languages that are available today including relational and no sequel databases everything can be run on the open shift container platform and that's the range of services that it provides and capability it provides for you to run any of the workloads including say for instance dotnet core work routes so these are the supported providers from an IP I and IUPUI perspective like IP I provides this provides 100% automated installation and that's available on all the public clouds and say for instance if you're doing a non-print private cloud with OpenStack platform and if you already have a tie-up with AWS or as you're or Google and you have infrastructure you can still leverage that and to be able to install openshift on top of it so there is two different types of offering we call that open ship dedicated or customer managed and the openshift dedicated today is available on AWS Azure and Google and IBM cloud where you simply come and request for hey I need to have a cluster with so-and-so things so reddit and say for instance aw as far as your RG Google we help get that installed for you and you and it's available for you from day one to be able to deploy applications and to watching what you do best or you can either do custom managed if you if you say for instance already have a tie-up with those partners and then be able to do an install OpenShift and deploy applications at a later stage again AR o is something that we have where we work very closely with Microsoft and we mean like Microsoft Android at work together so that you don't experience or need to experience the the the installation part or the management part Microsoft and rather takes care of that and those similar things are available across AWS and Google and IBM cloud as well this is another slide I am very proud to talk about because I see a lot of customers adopting OpenShift and this has steadily increased over the past five years across openshift three to OpenShift four and you can see that a lot of these customers are in various industries and verticals including banking and financial services healthcare airline industries aeronautics they're all there and an including travel and hospitality there are a lot of customers who see the greatness of open ship what it can do for them how it can leverage their their developer teams as capabilities to be able to bring features and products faster to market that's why you steadily see an increase of openshift customers being it up being able to adopt this product and then it's not just like these are newer customers whoever we've had in the past they're still with us today and they love the product for what it is and how the future is actually shaping up for this product to be and this would definitely would not have been possible without our partners because they form a large part of our ecosystem because they build their solutions on top of that adds products and that is another huge factor success factor for us in this whole grand scheme of things and fact at the same point about what workloads can be run on openshift you would run all the databases including relational and no sequel databases the new big hype about AI and m/l workloads we are working with with with all of our partners and the community out there to be able to bring those two openshift there are some customers who are already doing that today DevOps absolutely you can do that security and Jory's want to touch upon that it's a huge thing because it doesn't matter if we were able to build a platform and put it out there but if it's secur we will not have any customers on it and we security is a very very key aspect of not just building the platform but how we manage it and maintain it going forward monitoring capabilities are already baked into the product you can either use those or you can siphon the data and then if you have any external tools you'll be able to use that as well Big Data workloads also to run and and when we have partners who have brought in their product to be able to build their own private platform or private cloud on top of OpenShift itself so that's the greatness and the goodness of the product which helps you do whatever you need to do as long there as long as you meet certain criteria to be able to do that operators is the key theme that's one of the ways that openshift helps say for instance we want to build a product which has certain capabilities and you want to kind of lessen the impact of installation and maintainability you would want to build an operator package your product as part of it and then be able to deliver it as part of the operator hub or even that it has multi place that's out there today so it is one of the key things that we attribute to and that's something that everybody is looking at and then we advocate that on a day-in day-out basis to be able to build a product and type to the operator framework an operator SDK is just like your Java SDK or anything out there which kind of gives you a platform to build an operator on top of it with that being said and witho t further ado I would like to pass the buck to Joe or Jody Jody BBJ yes give me all right yes awesome thanks for that intro so as we J said security is top of mind with openshift anybody that's worked with open shift or move to open ship from kubernetes will see that firsthand that there's a lot more role based access control is it's I always describe it as the hardened version of kubernetes so when you're serious about security and kubernetes it's going to be open ship that you're going to be using we see a ton of interest in open ship and our install base simply for that reason because when people are security minded they tend to be using our products and when there into a container or orchestration platform they're going to look for the more secure platform so the the healthcare system customers the financial services customers that we talk up to the customers that are really security minded are tend to be using OpenShift over kubernetes let's see do I have see can you advance the slide there BJ so the the thing that we are very cognizant of is that sometimes the relationship between security and development can get a little tense and so we want to mitigate that as much as possible these are our two two very important organizations in every company and both have their agendas the things that they want to do development wants to deliver business value security needs to make sure that the the businesses assets are looked after and protected and sometimes those those goals are in conflict so as much as possible what we want to do is enable the the the development organization to be secure without overly impeding their their ability to deliver business value so so this is top of mind and when we're delivering solutions is how do we make things easier for the developer in such a way that security just happens that it's it's a part of their workflow and that's something that they have to be constantly aware of and have to work through the if you make the right thing to do the easy thing to do then compliance comes comes naturally and so that's really what we want to do is provide that kind of capability PJ can we go to the next slide so this is describing that what we're enabling the developer and devops organization to do is consume secrets and that's what we're going to walk through its various ways that applications can consume secrets to connect to a target system in this case a database we want a free developers from having to be responsible for the things that security does as a part of its its job the compliance audit requests for provisioning access managing security budget or being responsible for aspects of the security budget we and equally want to empower the security team to enable these these solutions provide a platform that covers human and non-human access because there's some continuity their application identities applications are deployed either by people directly or indirectly through automation and so the the automated processes need identities because those are true privileged identities that that have root-like access to target systems for configuration and deploying applications and then similarly applications need identities in order to connect to databases and other services so we're trying to enable both sides of this equation shift security upstream shifted left into the development workflows so that it becomes just a natural part of the rhythm of development not something that's tacked on later which which can be problematic so if we go to the next slide the the problem that we see is that while developers have gotten the message that embedding passwords or hard coding secrets in source code is a really bad idea you need a place to store those secrets if you're not going to have them embedded in your application so where do you store those well there's no lack of places to store secrets most of if not all of the DevOps tools and cloud platforms have a place to store secrets some kind of vaulting capability for storing and retrieving secrets but these solutions in many cases are not very secure you may have dealt with kubernetes secrets will show an example here where as you may know community secrets are only base64 encoded so or not what we would hold up to a standard of high security most of these solutions are not not ready but the point is even if all of these things were secure having multiple ways of storing secrets makes it hard to share best practice best practices establish best practices hard to provide segregation of duties and it certainly makes governance risk compliance reporting next to impossible so this is the problem that we're solving with and if we go to the next slide with a solution that spans the enterprise so what we're providing is a Enterprise spanning service that can be delivered by the IT security team that solves both human and non-human access requirements we want applications to be able to get their secrets in a way that's natural for the applications but is provided and sourced from the same resources that are controlled by the security team for for human access as cyber arks been doing for 20 years so we see this as a natural extension of what we've been doing for for a long time now we've been securing application access for well over ten years but at with the rise of automation and certainly with the rise of container orchestration the challenge has become how do you do that in these very dynamic environments and so that's what we're going to be focused on today while we have out-of-the-box integrations with robotic process automation solutions security scanning solutions the things that you see on the Left we have a number of partner companies that have built integrations that use our solution for provisioning secrets so you think about a container scanner or excuse me a security scanner it needs to connect to multiple different back-end systems it needs credentials to do that and that's why we have a hefty link those customers are companies that have built integrations for doing just that but as we get more into the DevOps phase and especially with container orchestration we look more toward the development community and how do we enable the development community to deliver that business value quickly but also do it securely and to do that we are providing this enterprise Fanning service for secrets management so that takes us into what are we really going to be talking about today if we go to the next slide the the solution that we are providing is as we say it's an extension of what we've been doing for a long time our our vault is the system of record for secrets for many many thousands of customers today they are using the capabilities provided by our solution to control human access to resources and many cases are already using that to control application access to resources now we're talking about applications being deployed and open shipped and these applications as you know may not live very long.they they come and go they move around and that that complicates the challenge of providing a strong authentication strategy for for authenticating first these applications controlling their access second and then auditing their access third so the solution that we've provided does just this in open shipped and what we're going to do is step through a few examples of how applications can retrieve their secrets in an open shipped environment we go to the next slide we'll look at the architecture for this so this is the the architecture for the lab examples that we're going to walk through here so the enterprise password vault is actually running on my laptop here here down in Austin Texas that it is synchronizing secrets to a a primary node and the dynamic access provider cluster so that the dynamic access provider is a solution formerly known as contra Enterprise it is a part of the cyber-ark products suite there is an open-source version available called conjure still so conjurer org is where you would go to get the open-source version the enterprise version is called dynamic access provider that it's a multi node architecture and the the primary node is actually running in Azure so the synchronizer on my laptop is connecting to that master node or that primary node and Azure and it's it's replicating we're replicating these secrets that are managing the core vault that primary note and then it replicates those secrets to other notes that provide read-only access to those secrets so this is how we start distributing secrets around a distributed architecture or an extended enterprise you can run followers where you want access to secrets followers depicted by the the multi triangle diagram down at the bottom when the cyber lab names face the followers are actually running in open shipped and they are serving secrets to the applications in open chef so applications can get their secrets from a local provider they're not making long-distance calls through firewalls and security groups in order to get their secrets they're getting them from a relatively local source and that source is kept up to date by this synchronization process that we've set up so this is the the depiction of the lab we've got the follower running in a namespace called cyber lab and we've also got a my sequel database there that's going to represent the target system this is the thing that applications want to connect to and then we've got a user name space which will be user one this is actually going to be using a lab that that Vijay and I have been collaborating on for a showing how to do secrets management nobody showed so the the cluster is actually running in AWS and we actually used the AWS deployment capabilities Nova shift4 to put put that cluster out so this is using version 4.3.3 so almost up to date with the latest release so this is something that you could deploy today and it works back compatible with the older three dot X versions of open shipped as well so if we go to the next slide I'm going to walk through I'm gonna tell you what you're going to see you know I'm gonna show you and then we're going to then we'll come back to that to to see to review what we saw the overall workflow for retrieving a secret is first you authenticate so however authentication happens in this case authentication is done for us by a helper container in the pot so the application is not responsible for authenticating itself and we're actually using a variation of a protocol that is used in an other cloud native asked applications like sto for example the the SDF service mesh uses an authentication protocol that's similar to what we're doing basically what we're doing is validating the identity of a pod with the openshift platform so we allow lists or whitelist the applications identity in terms of metadata that can be validated with the open shipped platform this enables the Authenticator to then receive credentials issued by the follower in the form of an x.509 serve and private key to set up a mutual TLS connection with the follower and then get an access token that it can provide for the application so all of that authentication protocol is handled by the container the application simply gets an access token and it can use that access token to retrieve secrets this access token is short-lived so after eight minutes we would have to really and and so we'll show the various ways that this happens and in the various ways that we can relieve the developer of having to retrieve secrets for themselves but this workflow authentication has to happen with it's a zero trust model default deny if you're not authenticated you can't do anything if you're authenticating then you're only allowed access per a policy that defines what the identity is allowed to access so it's extremely secure we typically can spend a good hour to an hour and a half on this topic so I won't won't belabor it any more now but we'd be more than happy to set up a session with anyone that's interested to dig deeper and into this this whole process and how it works so that takes us to the labs so where we'll see some aspects of this workflow will especially see the access token that's provided by the Authenticator container but if we step to the next slide we'll describe what the what the demos are going to look like so in the first lab a lot of people just want to use an API they don't want anything more than just tell me where I go to get my secrets to show me your API and most often than not they're looking for a REST API and so we have that and it's documented you can go to Doc's Cybercom all of our documentation is online there's no gate around it so it's free to access so in the first example we're going to use a REST API just simply pull a secret so what we'll see is it's just a simple bash script that picks up that access token that's provided by the Authenticator the Authenticator is running as a sidecar so it stays running and it can refresh that access token on a regular basis so we always have the ability to retrieve secrets and that makes sense if you're using an API because the API may need to pull secrets through the lifespan of the application running so we'll see how we can use that access token to retrieve the my sequel database username and password and connect to the database so that'll be the first example I'm going to step through all of these because when we switch I don't want to switch back and forth between BJ's presentation of mine we start doing the demo so the second example is going to be an example of secrets injection that's going to be using an open source component that we built called summin summin runs in the application container and it pulls the secrets and calls the application with those secrets and environment variables the beauty of that is the application developer doesn't have to know how to pull secrets the application simply accesses those secrets as environment variables but those environment variables are dynamically instantiated by summoned using the same identity so it's using still the same authentication strategy using that access token to retrieve those secrets but now the application can get its secrets without having to know how to retrieve them and and connect to the database so that'll be the second example that we look at and in that example the Authenticator is running as an init container because it provides that access token when when the the application container starts summoned picks up that access token retrieves the secrets calls the application and then the application is often running with those environment variables but it starts to beg the question what happens if those values has changed what happens as secrets get rotated while the application is running so this is an aspect of password change management that often comes up and we'll see a couple of ways to to solve that in lab 3 oftentimes applications are already built to use kubernetes secrets or open ship secrets and while those aren't ideal from a security aspect it would we've had a lot of requests and we've delivered a solution that will dynamically instantiate Coover and any secrets so so in this case what happens it's the Authenticator running as an init container will often authenticate will actually retrieve the secrets described in a secrets a kubernetes secrets manifest and then patch that secret with those instantiated values so the kubernetes manifest does not have the base64 encoded values for the database username and password those are dynamically patched and we'll see how that works but this is proven to be pretty pretty popular because a lot of folks are already using kubernetes secrets this makes that migration very transparent and very easy while increasing security so getting at that sort of reducing the friction between development and security this is a way of doing that the last example is using a solution that we provide called secret lists so as we'll see in all the first three labs we display the user name and password and that in itself is a problem because applications can inadvertently leaked secrets in logs or to standard out or you know when they're doing debugging and if that happens in production then the application can inadvertently leak production secrets so the best-kept secret is the one that's never hared and that's what secret lists is all about secret lists proxies the applications connection to the database secret lists is the thing that authenticates that retrieves the secrets and establishes the connection to the database the application doesn't use a username and password it doesn't have access to the username and password it never gets the username and password it simply connects to the database as if it were listening on the local court what's really listening is that broker and it establishes that database connection using the secrets that are never shared with the application so that's the fourth example that we'll look at so with that Vijay if you'll make me presenter I'll start walking through these scenarios and we'll come back to review that he's just so that everybody is is if they have any questions about what we're talking about then we can certainly show that absolutely Joey give me one more fish all right all right EJ are you seeing my at this point yes I can see that all right so the first example so I'm just to give a kind of a overview here is our cluster is running up an AWS you can see that the provider is a double yes we've got four notes to or admin notes to our worker nodes we've got a the a namespace we go to our projects here we've got a name space to call cyber lab which is running our follower and if we look at the the workloads here in the pods we've got a follower and the my sequel database we can get the the fancy rendering here that if we switch to developer and you see those two paws running a project so the the sequel database is really what we are wanting to connect to if the follower is going to be providing the credentials to connect to that database and we're going to see that in those four scenarios that I walk through so that first one where the Authenticator containers running inside a car so if I do it OC get pods we see that we've got my four examples running here so I'm going to look at this example first we can see that there's two containers to readies so that's the application container the Authenticator continue by exec into that I'm just going to use my utility here to avoid typing I'm going to exec into this container and cut out this script which is that bad grip that I talked about that use the REST API to retrieve the secret so these are the names of the secrets that I'm going to retrieve the first thing I do is I pick up that access token that's provided by the Authenticator containing so I don't have to know how to authenticate all I need to do is know where the Authenticator put that that took missing a shared memory monkey so I picked that token up a 64 encoded friend of Lights the control characters Burling code the the names of the variables that I've known retrieved so these slashes become % 2f then I make my rest calls using curl and using that token as a bearer token to retrieve the username and the password yeah flows which is basically leaking the secret but just showing that we've got that and then I make my my sequel client call using the username and password and it will complain that putting those in the command line is insecure but you know this is the demo so worried about that so here we see I echoed the values of those secrets so these seekers were retrieved from the follower using the REST API and now we're connected to the my sequel database and let's do things like show databases you know now now if I am the application I can do whatever this account is allowed to do in that day to date so that's the first example as we said that the the sidecar deployment refreshes that access token so that the application can always retrieve its secret service you're using an API you have to retrieve all your secrets upfront you can retrieve them as the application is running and use that access token and know that access token is always going to be fresh as long as you keep picking it up and that's that's critical because if you keep that access token and that 8 minute window expires that access token won't we did anymore so you need to keep getting that access token from the file so that's that's a sidecar for example so let's look at an it container example this is going to be using summon to retrieve secrets and as we said summon is running in the application container so this has to be billed that's part of the application so if I say summon here it's going to say tell me what I need to run so what I'm going to run here is a much simpler or my sequel application called my sequel summon and this we see all it's going to do is echo the values of the environment variables and then as before use those environment variables to to to connect to the database now if I run this without running summon first then not much is going to happen because those are my variables are populated the way someone knows but to populate is through a file called Secrets camel so this is a helper file that describes the names of the secrets to retrieve and the names of the environment variables to put their values in so this summon will iterate over this file retrieve a secret with this name saying the same thing we saw in the the rest application so we're always going to be pulling the same secrets the username and password for the my sequel database in this case now someone's going to pull those secrets and call the application with those secrets environment able so I say summon now I say my sequel summon not those environment variables were populated well guess what my my token expired I deploy this application before the webinar started and so this is an example that we wear the access token has now expired so what what you need to do is we can deploy that when they let me do that real quick so I'm redeploying the application which will restart the init container which gets what's the authenticates provides that access token and then we'll have a fresh access token that we can actually use in the application so that's a prime example of the difference between that sidecar deployment and the initiative in deployment so it's still initializing this is exactly why I had everything deployed earlier so so now we're going to run this in how we should have and that is more friendly to us well let me in to vote me the secrets provider we may come back to that but what I want to show so as I said the third example is using kubernetes severs and dynamically instantiate instantiated kubernetes secrets which is is something that customers seem to like because their applications already using kubernetes secrets they realize there are some trade-offs with giving any secrets we're always quick to point out that caveat the kubernetes secrets especially mounted as environment variables may be visible to certain tools outside of the container so if you were going to use given any secrets we always recommend mounting them as volumes not as environment because our tools up for that can show you the environment variables for for a given PI but once their secrets you can do whatever you want to them because now they're just native covered any secrets it's just that we're dynamically patching them so the way this works is we look at the the secret manifest here so the problem with one of the problems with kubernetes secrets so I talked about the runtime fact that they can be exposed as environment variables the other thing is if you have a manifest the manifest is going to have those secret values basics before encoded so if I have these values here and I cannot cat this value or echo this value here and I get to base64 decode then I get the name of my database so if this gets checked into my github repo then it's very easy for someone to go through and find those secrets and decode those and potentially get your username and password we said okay here's a map here's an array of values keys and values the value here now isn't the value of the secret the value is the name of the secret at the follower same the same values that we've been using the other examples and now what the provider is going to do is pull those secrets and patch this this secret at runtime to basics before encode those values as if they've been part of an manifest but the manifest never has the username and password in it it's fully got the names for those secrets and so that's what the the provider does if we look at the logs for example so the the provider runs as an init container it authenticates and so what I want to do is look at the logs real quick of the secrets provider so this is the I've got it in debug mode so just we show the world here so we log in and we're authenticating as this identity I would get logged in we get our cert cert this is our authentication credentials issued by the follower after it successfully validated the the identity we successfully authenticated now we're we're treating the DB credentials in the namespace we're processing that conjure map retrieving these secrets and then updating DB credentials in the namespace so if we look at the secret here we do an OC describe secret DB credentials now we see we've got a user name and password of both 8 bytes these are you know that's that's smaller than what it was before if we do an edit we can actually see those values and we can see at least that they are now instantiated so here we see there the password is instantiated so that we've dynamically patched the secret to contain the basics before and critic password if I echo that value and pipe it to my a 60-40 code then I get my my password back but that wasn't part of the credential that's that would be stored in your this one so we can see that those didn't exist that was only exist in the runtime example so they don't get checked into github they don't get stolen and and life is good so if we if we exactly into the container now we can see where these these are provided and I'm mad at both environment variables and in the volume just so that to show that example so if I do an e and V and grow up for things beginning with DP under bar then we can see there's my test app username and password mounted from the kubernetes secret so it's just a native kubernetes secret at that point but has been dynamically patched so that those secrets are only there for the lifetime of this application I can also retrieve those secrets as as we recommend as volume mounts so here's the password and the passwords there too so that's what I will be using here when I do the provider it will use the value retrieved from the file to connect to my database so now I've connected to the database with the secrets provided Xfinity series but realize these examples I am echoing the username and password the application has direct access to the username and password so that can connect to the database well what the application really wants is the connection to the database and the credentials are just a means of controlling access to them so what if the application didn't have to retrieve secrets at all and that's the the idea behind Siegrist it's using a proxy connection which is what we use to control human access to privileged systems so in the in the user space when a human needs root access to a target system the cyber-ark privilege session manager will have the user login as themselves to cyber-ark and if they are authorized to access that target system the privilege session manager will establish a root session using the root password on that system and monitor that access so the user never gets the root password and that's why we say the best-kept secrets the one that's never shared so what I'm going to do if we look at the mice equals secret list example here executive the container you and I've got a log down here on PD on the secret list broker so this is the proxy container so it's running as a sidecar in the same pod with the application the application in order to connect with the database is just going to try and connect to the database as if it's listening on the local port 3 306 the default default port for my sequel so there's no username there's no password there's no URL nothing could be simpler here right and the application is not going to get access to the secret so what we'll see we see that the listener is listening on the local course so basically the secret is broker is listening and so when the application goes to connect the broker is going to authentic que retrieve secrets and connect the application to the database so I didn't need to user name and password I don't get the user name and password but I still get my connection which is what I wanted in the first place so this is building on that sort of rich tradition of proxy connections that has proven very very successful in the inner space and now we're applying it to applications and this works for my sequel works for sequel server Postgres HTTP and HTTPS connections and SSH connections it's a multi protocol broker for providing access without divulging the secrets that provide that access so that's the demo so why don't we flip back let me make you presenter again DJ let's let's kind of summarize what we did here and then answer any questions you there it comes okay so just to review we saw you know four different ways of retrieving sequence first with a REST API you think that access took and provided by the Authenticator and that access tokens kept fresh because the access token through the Authenticator is running as a sidecar second example which we didn't quite get through is where summon would retrieve those secrets and then call the application with those secrets and environment variables third example is where we dynamically patched the kubernetes secrets to provide the the more native kubernetes or OpenShift experience that works equally well in kubernetes eruption and that way applications can use kubernetes secrets like they're used to with the kubernetes secrets don't get checked into github and then then the last example we use the secret list broker to broker the connection in the database without the application ever getting the username and password which we saw you know was very easy for the application to leak in the other examples so that give you a sense of what we're trying to do especially in the openshift space the the things that that I really liked and appreciate about openshift is its strong role based access control where we can grant exactly the privileges needed to do these operations and no more and so our deployment models and our labs really leverage that fact where are this multi-user lab that I was walking through here each user is only able to deploy in their environment while other applications can be deployed another environment so we can partition responsibilities very closely we can assign identities to applications based on open shift service accounts and the namespace that they're running in and stoked by the cluster that they're running in so you saw BJ mentioned the multi cluster management that red hats rolling out being able to establish an identity you know a good good example is you want your your dev cluster to mirror your Prada but you don't want your dev identities to have access to your prod resources so having identity scoped by the cluster is very important you want the dev identities you want your namespaces and serves the cows to be the same but you don't want an identity that's in dev to be able access production secrets and being able to define identities using the the cluster ID the namespace ID service account gives you that sort of specificity around identity definition that that's required for good segregation of duties so why don't we switch to a question and answer I think we're starting to run short of time yeah we do have a couple minutes for questions if you do have a question please go ahead and use your GoToWebinar control panel and submit it we're probably not gonna be able to get to everybody's questions today but please know that the folks at Red Hat in cyber are before beginning a copy of all the questions so even if we don't get to it during the webinar they will be able to answer it offline post webinar let's go ahead and go into the first question here let's see let's see cyber-ark mentioned i think four different ways for how applications can fetch secrets including REST API and environmental var ables what would you recommend I use for open shift applications I'll take that one and I would say if secret list works for it I would go there first because that is it's going to be the most secure it's very much in line with with service match type architectures so it's it's it's it's very forward-looking and we're investing pretty heavily in it but if for summer so for example it doesn't yet support Oracle database so if you if you need connections to something that super list doesn't support then you can kind of pick you know pick your poison as they say a lot of people seem to like the the fact that we can dynamically patch kubernetes secrets and use those and kind of get around some of the security concerns that could burn any secrets introduces so I would probably recommend one of those two approaches first but you know everybody's different some people really just want to use an API and so we've got the REST API plus we've got dotnet Ruby go and Java client libraries that wrap the API and give a higher level interface to those capabilities all right great we're about five minutes to the top of the hour if we could do one very very quick question next and then we'll close our question and answer period here it is what is the release cadence for open shift for Dex yeah that's a great question I surely am so currently the cadence is about three to three and a half months and that's been the case with all of the open shift minor releases with four so far so we came out with 4.1 right after the summit last year and then it's been progressing 4.5 is slated I believe for at least some time in July or early August and that three and a half month cadence would be there because there's a free space of activity and features being positioned for open shift based on what we see with our customers and partners and those are getting baked into the product and tested as quickly as possible so the cadence about three to three-and-a-half months okay all right great as I said if we didn't get to your question I apologize but the folks at Red Hat and cyber-ark will be getting a copy of all the questions so I'm sure they'll be more than happy to follow up with you offline to get your question answered I do want to thank everybody who did submit questions though we did have a lot of them and and I'm sorry we just ran short on time do want to remind the audience also that today's event has been recorded so if you missed any or all of the event or if you just want to watch it again you'll be able to do so you will be getting any email following today's webinar that contains a link to access the webinar on demand and the webinar is also going to be living on the DevOps comm website so you can always go look for it there just go to DevOps comm slash webinars look in the on-demand section and it should be right there waiting for you okay at the top of the webinar I did mention that we would be doing a drawing for six $25 and let's fun gift card so let's go ahead and do that right now let's see our first winner today is Alex Dee congratulations Alex our next winner is David Elle congratulations David our following our our third winner is Philippe n congratulations Philippe our fourth winner is Joan s congratulations Joan next winner is Scott F congratulations Scott and our final winner today is Toni M congratulations Tony congratulations to all of you we will be following up with you via email to get your $25 Amazon gift card over to you so please check your inbox for that all right well Vijay and Jodie thank you so much for a great presentation today lots and lots of really great information that in that judging from the number of questions we got from the audience I know they got a lot out of it also so thank you very much for your time and your expertise really appreciate it Thank You Shami Thanks great I also want to thank the audience for joining me today this is Charlene O'Hanlon and I am signing up you have a great day everybody please stay safe