Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Aysylu Greenberg, Google Liron Levin, Palo Alto Networks Binary Authorization in Kubernetes
Who are we Aysylu Greenberg Sr Software Engineer @ Google Eng Lead of open-source Grafeas and Kritis @aysylu22 Liron Levin...
Today ● Why we need binary authorization
Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster
Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open so...
Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open so...
Software supply chain Code
Software supply chain Build & Test (CI/CD) Code
Software supply chain Build & Test (CI/CD) Code Deploy
Software supply chain - reality
Software supply chain - reality ● Which images are deployed right now?
Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests
Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests ● ...
Software supply chain Build & Test (CI/CD) Code Deploy
Software supply chain Build & Test (CI/CD) Code DeployAuthorize
Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools http...
Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Re...
Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Re...
Open source
Open source
Open source
Pod lifecycle Kubernentes API
Pod lifecycle Kubernentes API Create a pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Kritis Create a pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Kritis Create a po...
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security val...
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security val...
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security val...
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default s...
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default s...
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default s...
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default s...
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default s...
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default s...
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate ...
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate ...
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate ...
Grafeas metadata store ● Notes - High level piece of metadata { "name" : "projects/provider_example/notes/test" , "shortDe...
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of th...
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of th...
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of th...
Grafeas metadata store { "name": "projects/image-signing/notes/product ion", "shortDescription": "Production image signer"...
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of th...
Grafeas metadata store ● Notes ● Occurrences - Instantiation of a note { "name": "projects/occurrence_example/occurrences/...
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/proj...
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/proj...
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/proj...
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/proj...
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate ...
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate ...
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate ...
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate ...
Demo https://github.com/grafeas/kritis/tree/master/docs/st andalone
Roadmap ● Grafeas
Roadmap ● Grafeas ○ New metadata kinds contributed by the community
Roadmap ● Grafeas ○ New metadata kinds contributed by the community License Test StaticAnalysis InTotoLinkAttestation
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownershi...
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownershi...
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownershi...
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownershi...
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownershi...
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownershi...
References ● Deploy standalone Kritis + Grafeas in GKE ● Grafeas: github.com/grafeas/grafeas ● Kritis github repo: github....
Binary Authorization in Kubernetes
Upcoming SlideShare
Loading in …5
×

Binary Authorization in Kubernetes

458 views

Published on

Kritis is an open-source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies that ensures only trusted container images are deployed on kubernetes to your cluster. With Kritis, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. Kritis enables tighter control over your container environment by ensuring only verified images are integrated into production.
Talk outline:
- Introduction to the concept of binary authorization
- Live demo of using Kritis and Grafeas for deploying images with confidence in Kubernetes
- Grafeas and Kritis roadmap
At the end, attendees will gain solid understanding on the process of binary authorization and how to incorporate it in their build and deployment pipelines

Published in: Software
no profile picture user

  • Be the first to comment

  • Be the first to like this

Binary Authorization in Kubernetes

  1. 1. Aysylu Greenberg, Google Liron Levin, Palo Alto Networks Binary Authorization in Kubernetes
  2. 2. Who are we Aysylu Greenberg Sr Software Engineer @ Google Eng Lead of open-source Grafeas and Kritis @aysylu22 Liron Levin Chief software architect @ Prisma Cloud Compute Grafeas and Kritis contributor
  3. 3. Today ● Why we need binary authorization
  4. 4. Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster
  5. 5. Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies
  6. 6. Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies ● Have fun and see cool demos
  7. 7. Software supply chain Code
  8. 8. Software supply chain Build & Test (CI/CD) Code
  9. 9. Software supply chain Build & Test (CI/CD) Code Deploy
  10. 10. Software supply chain - reality
  11. 11. Software supply chain - reality ● Which images are deployed right now?
  12. 12. Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests
  13. 13. Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests ● Does vulnerability CVE-2017-5638 (Equifax, apache struts RCE) impact production images?
  14. 14. Software supply chain Build & Test (CI/CD) Code Deploy
  15. 15. Software supply chain Build & Test (CI/CD) Code DeployAuthorize
  16. 16. Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
  17. 17. Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
  18. 18. Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) ● Continuously monitor our inventory https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
  19. 19. Open source
  20. 20. Open source
  21. 21. Open source
  22. 22. Pod lifecycle Kubernentes API
  23. 23. Pod lifecycle Kubernentes API Create a pod
  24. 24. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Kritis Create a pod
  25. 25. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Kritis Create a pod Validate pod Admission webhooks receive admission requests and do something with them.
  26. 26. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Create a pod Validate pod
  27. 27. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
  28. 28. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Kritis policy is a CRD.
  29. 29. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081
  30. 30. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 The Custom Resource Definition. Supported values: ImageSecurityPolicy GenericAttestationPolicy
  31. 31. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow deploying images signed by ‘kritis-authority’ to allow previously admitted images be re-admitted on pod restart
  32. 32. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow specific external/infrastructure images
  33. 33. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Constraint on vulnerability: vuln severity <= policy severity
  34. 34. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Carefully whitelist specific vulnerabilities
  35. 35. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
  36. 36. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas
  37. 37. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Uniform way to audit your software supply chain
  38. 38. Grafeas metadata store ● Notes - High level piece of metadata { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } }
  39. 39. Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description
  40. 40. Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
  41. 41. Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
  42. 42. Grafeas metadata store { "name": "projects/image-signing/notes/product ion", "shortDescription": "Production image signer", "longDescription": "Production image signer", "kind": "ATTESTATION_AUTHORITY" , "attestationAuthority": { "hint": { "humanReadableName": "production" } } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority
  43. 43. Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority - Deployment - Build history - And more!
  44. 44. Grafeas metadata store ● Notes ● Occurrences - Instantiation of a note { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } }
  45. 45. Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
  46. 46. Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
  47. 47. Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found
  48. 48. Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found - Remediation
  49. 49. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API
  50. 50. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
  51. 51. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB Who pushes security data to Grafeas?
  52. 52. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
  53. 53. Demo https://github.com/grafeas/kritis/tree/master/docs/st andalone
  54. 54. Roadmap ● Grafeas
  55. 55. Roadmap ● Grafeas ○ New metadata kinds contributed by the community
  56. 56. Roadmap ● Grafeas ○ New metadata kinds contributed by the community License Test StaticAnalysis InTotoLinkAttestation
  57. 57. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0
  58. 58. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership
  59. 59. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language
  60. 60. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language ■ Maintenance of the reference server v1.0
  61. 61. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis
  62. 62. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis
  63. 63. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis
  64. 64. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis ○ More expressive policies based on stored metadata
  65. 65. References ● Deploy standalone Kritis + Grafeas in GKE ● Grafeas: github.com/grafeas/grafeas ● Kritis github repo: github.com/grafeas/kritis ● Mailing lists @googlegroups.com: ○ grafeas-users ○ grafeas-dev ○ kritis-users ● @Grafeasio

×