I am cluster-admin, destroyer of everything you hold dear

Welcome everyone. I am cluster admin destroyer of all you hold dear thankfully one of the guys pointed out is this supposed to say destroyer of all your whole dear.

Type oh gotta fix it. So destroyer of all you hold dear hopefully that title makes a little bit of sense to you cluster admin. What does cluster admin work mean? You know if you install a brand new Kubernetes cluster the first output that comes out of that cluster is going to probably be a coop config file and I coop file defines you well or whoever holds this file as a cluster admin and that means you can do anything you want which is awesome. So we're going to talk a little bit about that and how that could be pretty scary. How lots of people deal with that coop config file. But how you might want to do it right and at the end of the show will talk about a solution that helps achieve that in a really easy way.

My name is Matt Williams. I'm tech evangelist on Twitter for those of you who are still on Twitter or Mastodon. That's the new cool thing. So tech evangelist at one of the Mastodon servers. I don't quite get it yet, but I will but I work for this little company called Infra and we're trying to make it really easy to manage security on your Kubernetes clusters and some other things as well.

So let's move on.

All right remote works least privilege that's where I want to start today least privilege.

You probably know what least privilege means and if you have an idea of what least privilege means keep that in your head and will compare it to a definition that I found online from the cyber security and infrastructure security agency.

Now if you are like me you're probably thinking who CISA who's that? Yeah, so I did a search online. I did a search on Niva and so Niva is a neat search engine. I've kind of replaced Google with Niva and I asked it: Hey, who is CISA? And it told me the cyber security. And so forth. OK so that tells us who it is. It was done in 2018. So depending on your point of view that could be good or bad but let's see their definition.

“Only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary… careful delegation of access rights can limit attackers from damaging a system.”

OK so that's sort of simple it basically says make sure you get the minimum rights required to do the job and as soon as your job is done drop down to even lower rights. This is not new. Yeah the agency is from 2018 but the content of this message I mean I've been dealing with I think I first learned about least privilege when I was in an IT organization for a software company in Tallahassee Florida called PC Docs. So this is not new stuff. But we know we all know it's the right thing to do. But it's often not an easy thing to do.

We start with that easy thing to do and you know maybe we think OK this project we're going to start easy and then when we get serious we're going to transition to doing it the right way. Unfortunately we often forget to do that right thing. And this applies to Kubernetes; it applies to other technologies as well.

So I'd like to look at what happens when we skip least privilege.

So I'm the first time take a look at Target. So I got a bunch of examples of what happens when we skip out on least privilege and I'm going to start with Target back in 2013. There's a couple articles that you can see in the smallest type possible down at the bottom of the screen that talk about what happened at target now. The problem with a lot of these postmortems is that especially for companies like Target they're not exactly forthcoming with all the details of what really just happened. One of my examples they do go into a lot of detail but for the most part companies like this they like to keep it quiet. So I've had to rely on some journalists that have figured out what's gone on.

OK so Target they're a big Microsoft customer in 2013 they're using Azure, they're using other services from Microsoft and if you ever work for a software company, one of the things that's really important to do is to try to get case studies. You know in my role as the first evangelist at Datadog, I tried to work with our marketing team to bring in case study potential case studies. And the same thing when I was at Microsoft, when I was at all these other companies trying to get customers who were using it in interesting ways to create a case study so that it kind of helps sell to new customers. So they worked with Microsoft and came up with this really great detailed case study that talks about how Target uses Microsoft, How do they deploy software, how do they manage things where all the major systems located all this information. Target by the way is a pretty big retailer here in the US about 2000 stores and general merchandise store but. They also made it really easy to figure out who are the vendors that work with Target and so they've got this large list of vendors and for all of us that's pretty interesting stuff. Oh OK they work with these people they've got this network all good stuff but maybe you're not on the this side of the hacker spectrum.

And if you are on the other side maybe you're thinking “huh” there's where everything is so if I get in there I here's how I know how to find all the good stuff.

And but you know it's probably want don't want to target Target it. You don't want to target Target itself because you know they've got this large security team they had 300 people dedicated to security based in the US and in India. And maybe one of these other companies that works with Target, maybe we could compromise one of them. And so that's what they did. They looked at H back vendor and this H back repair company one of the employees fell for a phishing attack and installed a pretty well known Trojan.

In fact all this stuff that they did it's pretty well known stuff this this was not a sophisticated attack. But this repair H back repair company employee, he could log into the same Target systems and have access potentially to a lot of other great great juicy information also on that network. So that compromised account they started looking at all the records and started collecting everything.

Security team was alerted to the problem. They already had a piece of software, come on in there's just a few spaces left. So the security team got alerted because they were using a tool called was it called red eye or something like that fire I fire red fire something like that. And it was alerting the security team say hey there's a problem there's this guy he's got this Trojan on there watch out and that tool fire I that's it that tool could automatically resolve any sort of problems. But Target said no we want humans involved in this decision so they disabled all those automatic, you know things that it could do.

So the hackers we're able to spend some, quality time skimming credit cards and all sorts of other information from the network and they grabbed about 11 gigabytes of data over the course of 2 weeks 2 weeks 2 weeks! They were in there, they were out of the gravel this stuff and that resulted in about 40 million credit cards. A debit cards and information on 70 million customers all grabbed by these hackers. And in addition to those I mean that's pretty bad stuff but what happened to the company it was according to their annual report the following year Target said it cost them about 291 million dollars. And some estimates say that's as high as you know could be about 500 million dollars that cost target over the course of the next year or so. CIO resigned sales plummeted this was just before Christmas so sales should have been way up and they were way down. And 90 plus lawsuits as well.

So let's move on to GitLab. Now, this is not an external attack but rather something that we've been working on for a long time. So let's move on to GitLab now this is not an external attack. But rather something that was internal the best of intentions. There was this engineer who was working on improving overall performance inside with their database solution. And so he set up a bunch of Postgres servers on this staging environment and wanted to make sure he's working with the latest data. So he takes a snapshot of the production database to enable more realistic testing. But taking that snapshot, that puts a little bit of load on the system. And at the same time, roughly, apparently some employee at GitLab was reported for doing something bad. And so they were pulling all the data about this employee and grabbing all the stuff searching the databases for all this stuff about this employee what he touched and what he was doing. And that put some additional load on this database. Now another SRE sees this and says huh there's a lot of stuff going on and the replication performance is not really that good.

So let's try to figure out what's going on, how can we solve this problem. And what they ended up deciding was that okay so it's the problem is that there's this replication lag in the secondary database. So he wanted to wipe out the secondary database. Okay. It's kind of a drastic next step but whatever. They know what they're doing. And so they start to wipe out the Postgres database directory for that secondary database. Oopsie. Production primary database instead and they wipe out they start deleting that. Within a couple of seconds they say the guy said no, no, no, no, stop. But quickly it was already he already got rid of 300 gigabytes of data. 300 gigabytes is a lot of stuff. And so what's the problem here? Problems. He was trying to wipe out this secondary database but with the same permissions. He had the ability to wipe out this primary as well. And GitLab went down for 18 hours. 5,000 projects lost. Most of them apparently recovered but GitLab's not so sure. They said: “yeah, we think they were all recovered”. We think? I don't know. So comments, users, issues, all that stuff was lost at least for 18 hours.

Let's move on to Marriott in 2018. There's a lot of great examples of people having too much permission and doing not intending to do bad things but bad things happen. So Marriott, 2018. Now, what else was going on in 2018 with Marriott? Well, they had just completed a merger with Starwood. I used to travel a lot for a different company when I was at Open Text and I would travel all around the world. I was always staying at Starwood properties. So I am probably a victim of this particular attack. I know I was. So this was discovered after the merger was done. In fact, they've been blamed for their due diligence not being quite as diligent as it should have been. But basically, a user was compromised within Marriott and a lot of the users, you know, if you're at the front desk of any Starwood property, Starwood is Weston, W, Sheraton, all those, you have access to a lot of personal information, credit card information and other stuff for not just the users or the guests at your hotel but all the hotels.

So basically, admin, almost like admin access for everything. So as a compromised user, let's run some database queries and grab some more information about my customers and hundreds of millions of customer records were lost. Hundreds of millions, now you think, okay, wait, was that what, two weeks, three weeks before it was discovered? A hundred million in two or three weeks, that's amazing. Well, not quite. They had a little bit more time. So apparently, the breach actually happened and was continuously being taken advantage of. It was happened in 2014. 2018 minus 2014, that's four years. Four years they were in there, grabbing stuff, grabbing credit cards, skimming credit cards. It's like, oh, it's awesome. I mean, awesome if you're that group, not awesome if you're Marriott or me staying at Marriott.

So let's move on to another one, Verkada. Verkada in 2021, they're a security camera company and credentials found online for one of the users and they had excessive privileges, hence they're in this presentation. Now, it turns out if you worked at Verkada, you had pretty easy access. You know, you could just sign into one system and instantly, whereas you had to provide a reason why you needed to access, but there was nothing really stopping you from accessing all 150 live camera feeds from schools, prisons, and hospitals. How can any user have access to all that information? Now, I know how it happens because you start out a small project, you think, let's go easy, and then we'll transition to going hard and that doesn't happen. I mean, I mentioned I used to be a DataDog. I was first evangelist at DataDog and I remember early on, we all had access to a lot of that stuff, but pretty quickly that got shut down so that not only did you have to provide a reason, but you had to get approval before it would even...I mean, it was technically impossible to access certain types of information unless you had the permission specifically for you.

So, let's move on to another one because this is fun. Anonymous. We don't actually know who this guy works for, but a guy named Rocky Chen wrote a Medium article about a namespace disappearing. And he was able to figure this out because actually the namespace was still there, it just wasn't the namespace he created on his Kubernetes cluster. And so, he starts looking into it and apparently a user accidentally deleted it. And so, he didn't mean to do it and so he put it back. Wrong. And so, that's how it was discovered that there was a problem. Okay. So, figured out exactly who did it and he went over to this person and said, why did you do this? I'm sorry, I thought I was in my test cluster. I didn't know I was in prod. How were you in prod if you were also on your test cluster working on this test cluster? So, there's the problem. And the fact that he's using an AWS assumed role meant that figuring out exactly who did it turned out to be kind of difficult to match all those records together. But Rocky Chen seems to be pretty good at what he does and documented the whole thing and basically shared for us, if we experience this, here's how to solve it. Okay, cool.

So, I'm going to go with even more Anonymous. A friend of a friend of a colleague knows somebody, and I could go further, but I think it was about that level deep, knows a software company that builds tools that are used by law enforcement and security companies. So, they want to be secure. But they were kind of new to this Kubernetes thing and I think kind of new to this cloud thing. And so, one of the devs ran some kubectl command and it did something bad. That was about as much detail as I could get out of them. It started with kubectl, they did something bad, and people got scared. He thought he was in test and he was actually in prod. Oh, we've heard that one before. Yeah, same story, but assumed roles and they didn't have Rocky Chen working for them. So, they never really figured out who did this. And so, their solution was just, delete everyone and start over. Ah, there's got to be a better way to deal with this problem.

So, what's the cost of breaches? There's a great, again, I've chosen the smallest font possible to have my sources. There's an article in Security Magazine that talks about what's the cost of breaches these days. And in 2021, the average cost was $4.24 million. Okay, that's a lot less than the $300 million we saw for either Target or Marriott, but still, it's a lot of money.

Average time to identify from breach to identification, 212 days. Oh, my God, that's like almost a year. And time to actually deal with it, another 286 days. So, 498 days on average from breach to containment. That's awful.

Likelihood of that detected breach actually being prosecuted, 0.05%. That's a pretty small number of cases that are actually prosecuted. And then, personal data is involved in almost half of those breaches.

So, you might be thinking, wait a second, I thought he was talking about cluster admin. So, how is this relevant to this particular talk?

Well, let's talk a little bit about Kubernetes and cluster admin. Yes.

Cluster admin is wonderful because you can do anything you want. You can put out deployments, you can create secrets, you can run jobs. But cluster admin is kind of scary because you can do anything you want. You can delete those deployments or read those secrets or cancel those jobs.

Cluster admin is the worst thing ever because you can do anything you want. You can change secrets, you can delete nodes, you can delete clusters. Oh, my God, there's no limit to what you can do with this. You can just wreak havoc. It's awesome and terrible. So, the answer is simple. Don't give cluster admin to anyone or everyone. Don't do it.

I know it's easy to take that kubeconfig file and just share it with all your friends, give everybody access. You know, I did that when I'm thinking back to a very different topic. I had this Sonos setup at work. I just told everyone about the Sonos client, oh, go, have fun, add people, add songs to your queue. And so, everybody knows that their favorite song is everyone's favorite song. So, the next song shouldn't play at the end of this song, but right damn now. So, yeah, that was unrelated, but I think it was kind of related.

But it turns out creating users in Kubernetes. If you are interested in that story, there is a DevOps Days Austin, Texas lightning talk for about five minutes about me setting up the music system at Datadog's Boston office. A side note.

Okay. So, creating users in Kubernetes is hard. And there's a couple of reasons for that. But the main reason being there are no users in Kubernetes. And so, you're probably thinking, whoa, whoa, whoa, whoa, whoa, I can log into Kubernetes. What are you talking about? Of course, they're users. Sort of.

So, everything in Kubernetes is a resource. There's a resource for all the things. So, look at API resources, you'll see this list of, I don't know, 100 things that there are resources for. There isn't a user resource. There's a resource for certificates and secrets and deployments and pods and all these things, but not a single resource for a user. It's all about the certificates in your kubectl file.

That is what defines a user, is a certificate.

It's not very personable, but that's what a user is in Kubernetes.

So, here's a kubectl file. Oh, I did bad with the colors. I thought that would be hidden by the... Oh, well. Anyway, so this is my kubectl file, and we can see there's some, like, three basic types of information in here. There are clusters, contexts, and users. And I've removed some of the actual content. You can see I say bogus ID somewhere. And, you know, so... Oh, I suggested that there might be a cluster, a host data other than Civo. Sorry, ignore that. Pretend you don't see. It doesn't say digital... Nope, I didn't even say that. It says Civo. Your eyes are playing tricks on you. So, the first thing is cluster, which you will replace with Civo. And so, you can see a fully qualified domain name, or it could be an IP address, it could be something else. But you've got a server name, you've got some sort of certificate authority data where you'll see a certificate in there, and you'll see a name. This is called my cluster. And then you have a user. And you'll have...for each one of these, you'll have one or more of these things. And so, this name of the user is SFO3, Matt, primary admin. And he's got a token or certificate that represents that user. And then what binds the two together are the contexts. And so, again, there's going to be one or more contexts. And in this case, we're binding the cluster called my cluster with the user called Matt, and that is called my context. And again, you're going to have many of these things in your kubeconfig file. Where's my water?

So, what's a role? So, what's a role? Hey, when did we actually start? We started...hey, hosters. When did we actually...we started a little bit late, right? Okay. Sweet. Okay, so what's a role? We're here for...they just told me I'm here. I've got the room for another three hours, so we're set. So, what's a role? Well, a role defines a level of access a user has to the cluster. And it's defined in the form of a resource and a verb. So, here's a definition of a role. We've got a name, in this case, marketing developers. It's got resources, and it's an array of resources. So, in this case, it's an array of one, which is pods. And we've got verbs, and this is an array of the three verbs, get, watch, and list. So, this role says that users who have this role can get, watch, and list pods, and that's it. And usually, there'll be a lot more things in here, a lot more groups in here, but this is what this role has.

So, how do you create a user? Now, we've got roles. How do we create a user? Well, it's a simple nine-step process. First off, we create a key, a user key. Now, so you can use a local command, open SSL, gen p key. It's also gen RSA, but I'm going to go with ED25519 certificates, so gen p key. Awesome. Now, you create the certificate signing request. Hey, did I see you yawn? No yawning allowed. Okay. Create the CSR, because this is riveting stuff, right? Create the CSR, certificate signing requests, open SSL, rec-new. Okay, that creates a CSR, and now you need to submit that CSR to the cluster. So, you're going to put that in a YAML manifest. Now, if you look online, you'll see, oh, well, you just download the CA certificate and key from the cluster, right? Because that's what works when I use it on Kind or Minikube. But I don't know, Civo, managed cluster, DigitalOcean, AWS, all these guys, they're not going to let you download that certificate file for the CA. So, you need to submit it to the cluster and then approve that request. Kubecontrol, certificate approved, da, da, da, da. And that approves the request, and now you've got to download that requested, that signed certificate. So, you download that file, kubecontrol get CSR, blah, blah, blah. And then you create a kubeconfig file, but there's no command to create a kubeconfig file. You need to take an existing kubeconfig file that has the cluster information set up, delete all the other stuff, and then run kubecontrol, kubeconfig, myuserconfig, da, da, da, da. And so, adding the credentials and adding the context.

Okay, easy, you're all with me so far. Great. Now, you've got to distribute the file. Somehow, you need to get this file from me to you and no one else. Okay, that's going to be a little bit hard. Hopefully, nobody else gets access to it. You need to make sure it's just between me and you, and that's hard. But of course, you've got to... Wow, why do I say that? Build the kube...I already said that. Okay, so there's these, what, eight steps, seven steps, I can't count. Seven steps, easy, right? Except you've got to keep doing it over and over and over again because those certificates don't expire. And...or, sorry, they do...you can make them expire. You can't revoke them, that's what I meant to say. So, and you want to make sure that bad parties don't have access. So, if they have that kubeconfig file, they have access. And you need to redistribute that. So, you need to do that for all, what, 50, 100 employees, and you need to do this often. Every five minutes? Yeah, sure, that sounds like fun. So, that's a lot of steps.

So, we can automate it, right? Sure, we can. Here's a great GitHub repo by a guy named Brendan Burns. You ever heard of Brendan Burns? Look, you know, he's done a...created a little project you might have heard of called Kubernetes. He's a vice president at Microsoft. It's pretty cool that a vice president at Microsoft is still updating his GitHub repo. I think that's pretty awesome.

Anyway, so that's great, but it doesn't deal with file distribution. That's your problem. You need to get that file from me to you somehow and do it over and over again. And so, that's where Infra comes in. And so, I'm going to do a little bit of a demo. I think I've got, yeah, 10 minutes-ish? Five minutes? What? Okay.

So, the first part of my demo is changing displays from mirroring... Oh, no, to mirroring. We're on a mirror. So, hopefully, yeah, you're seeing my screen. Let me close out IA Presenter, which I felt like trying out for this presentation. And let's open up a web browser. Not that one, that one. Okay. And, oh, yeah, I'm supposed to be on a stream right now. Oops. Okay. So, here I am in infra, and I can see all my infrastructure. I've got two Kubernetes clusters, and I've got two SSH clusters. And I know what you're thinking. Oh, man, is he using his time for a sales demo, a sales pitch at this conference? What? Okay, sort of. But we're an open-source project. It's 100% free. There's no money changing hands. We don't make any money. Well, we've got funding. So, we're not trying to get money out of you. And, yes, you can self-host this. Hey, we don't care. So, we've got Kubernetes and some SSH machines. I'm going to go into my Kubernetes cluster, and I can see the admins and developers already have access. Admins are cluster admin. And I've got this user named Richard. He's a brand new employee of this company. I don't want to make sure that he has access to my Kubernetes cluster. So, I'm actually going to go, let's give Richard access. Richard should have... Now, you can see here I've got roles. And those roles come from... Oh, that's small. Let's bump that resolution up. Not that much.

Okay, that's better. That's better. Yeah. So, Richard, we can give him cluster admin, admin, add... You know, those are the things that come with Kubernetes. Or we've added a bunch of roles with when you install Infra so that you can use some of those roles. But I've also got some demo roles I created just for this cluster. So, as long as you add a specific label, those roles will show up here as well.

So, I'm going to make sure that this user is... Edit. And I'll add that.

So, now let's come over here and try to remember my password. Awesome. There we go. So, I'm going to Infra logout. Just make sure everything's good. Okay, now, cat, what is it, .kube, slash config.

Just... Okay, cool. Oh, no, a CD. Cat. Okay. No, I still did it wrong. Moron. Okay, there we go. Okay, so, there's my kubeconfig file. There's nothing in it. Awesome. So, let's go over here. And I've already set up Richard as a user. So, I'm going to do Infra login. That... We do a contact or a mobile login thing. So, I'm going to say, yes, that user is approved. And now I am logged in. And hopefully, if I run that command again, boom, we've populated the kubeconfig file with, you know, all the information that says you are who you... You are you. And you have the right kind of access. And so, now, if I do CTX, I can see that that primary Civo cluster has been added. And so, I can add that. And now I've got k get pods. So, that's awesome. But if I realize that Richard's an idiot and we should get rid of him, then remove access and cross my fingers, press my return, and boom, he's gone. So, we've just removed access for Richard. We have the same option for your SSH as well. So, if you want to give all your users access to SSH hosts, just add them. And they're there. And as soon as we remove that user from SSH, their connection is dropped. It's not like they lose access next time they log off. No, their access is dropped right away, which is pretty awesome. Oh, Patrick is out of office. You needed to see that, right? Okay.

What else I've got with my oodles of time? Yeah, I think that's about all I want to say. Yeah. Got users, got users groups.

We can pull in all our users from your OIDC data stores. What are you getting up for? Okay. So, we're done with this. Let's go back.

Oh, yeah. Do we have any questions? Well, hold on. Before we have any questions, let's go back to my incredible slide deck. You can see I've got two really important slides to go. Play. How do I play this? I love new software. Okay. Infra. Yep, that's our GitHub repo. There's our demo. Cool. We did a demo. Yep. And 100% free and open source. Yay! And it's on GitHub slash Infra HQ slash Infra. My name is Matt Williams. I'm a tech evangelist on all the things. And thanks so much.

I, by the way, if you have questions, you can ask me questions. And I got T-shirts. So, if you ask a question, you're going to get a T-shirt. You might not get the right size, but I'm going to get a T-shirt. And I'm going to get a T-shirt. And I'm going to get a T-shirt. And I'm going to get a T-shirt. By the way, I was at Datadog for eight years. If you've ever been to a Datadog booth and you've got that super comfy, soft, lovely T-shirt, we got the same T-shirts. It's awesome. Okay.

They are awesome. Okay. Questions?

Please. Mr. C. Hey, Matt. I'm a big fan of your show. I love it. I love it. I love it. Hey, Matt. Great talk. On the hosting side of it, is it HA and have you got redundancy? So, if this goes down... Sure. We got all the things. Good. Hosted in Kubernetes? I don't know. What was that? Is it hosted in Kubernetes? Yes. Yes. So, you can do self-hosted on Kubernetes or there's a SaaS version as well. We don't charge for that either. We don't charge for anything. We don't want your credit cards. Maybe we will someday. But no, we don't want them. HA. That is a longer discussion.

What size would you like? Okay. Oh, the one she didn't grab. Anybody else? Farthest possible person. He looks like he's strong enough to deal with the running. I might pant. He's doing well. He's doing well.

Question is, do you have a Terraform provider and or can you configure exclusively in YAML through a Helm install? Or something to that effect. Both of them. So, Helm, yes. Terraform, yes. Awesome. Thank you.

Terraform, we just added in the last three weeks, four weeks. All right.

Hi. I actually got to try out your demo before I came here a couple of days ago. So, that was great. Just a question about custom OICD or OpenIDE or even OAuth providers. Is that, you know, just fork your code and integrate it? Or what are you thinking about? So, the question about what OIDC providers? Yeah. Like if I wanted to use Facebook login or some, you know, other OAuth provider. Yeah. Is that just self?

So, we have support in the product with logos and all for Google workspaces plus the Google social login as well. And Azure AD and Okta and there's another one. And then a generic OIDC provider as well. And because they all support SCIM, but they all do it in a different way, SCIM is supported in Google, Azure AD, and Okta as well. Which is awesome. I don't know if you're familiar with SCIM, but SCIM means that if you add a user into a ontos, say Okta, and maybe even add it to a group, they just instantly show up in our database as being members of that group. You don't have to do anything. It's really cool. Did you want a t-shirt? You can grab a t-shirt.

Anyone else? Run, run, run.

Hi. The project has an API. What's that? An API. API, yes. Yes. So, everything we do in the UI, first off, you can all do every command in the CLI. And there is a full API as well. Full RESTful API for everything. In fact, there might be a few things you can do in the API that you can't do in the UI. And there might be one thing you can do in the CLI that you can't do in the UI for now. But there will be feature parodies pretty soon. API for everything. Public API for everything. Not private crazy stuff. All right.

So, I was told I only had one more question. I don't know, like two questions ago. So, maybe one more? Yes. Oh, repeat question. You got two t-shirts. Keep you busy. And, yeah, I definitely want two t-shirts. They're really nice. They are.

What would you say you need help with from the community to take the project further? What's that? What would you need help from the community to take the project further?

I don't know. I mean, it's... Our documentation is great, but it would help if somebody else is also using it and maybe submitting some documentation. That's probably something anybody can do. If there is a great... If there's some other OADC providers that you want to integrate with and provide SCIM, that would be really cool. And it's so much... I mean, it is a... We're a company of eight people, and we're doing all this. We've been working on it. It was a Y Combinator 2021 company. We've been at it for two years. I've been there for a year after I left Datadog. And so I think we're doing all the things, but there's always more. Thank you.