Download as PDF, PPTX
![Grafeas metadata store
● Notes
- High level piece of metadata
{
"name" :
"projects/provider_example/notes/test" ,
"shortDescription" : "A brief
description of the note" ,
"longDescription" : "A longer
description of the note" ,
"kind": "VULNERABILITY" ,
"vulnerability" : {
"details": [
{
"package": "libexempi3",
"cpeUri":
"cpe:/o:debian:debian_linux:7" ,
"minAffectedVersion" : {
"name": "2.5.7",
"revision": "1",
"kind": "NORMAL"
},
}]
}
}](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-39-320.jpg)
![Grafeas metadata store
{
"name" :
"projects/provider_example/notes/test" ,
"shortDescription" : "A brief
description of the note" ,
"longDescription" : "A longer
description of the note" ,
"kind": "VULNERABILITY" ,
"vulnerability" : {
"details": [
{
"package": "libexempi3",
"cpeUri":
"cpe:/o:debian:debian_linux:7" ,
"minAffectedVersion" : {
"name": "2.5.7",
"revision": "1",
"kind": "NORMAL"
},
}]
}
}
● Notes
- High level piece of metadata
- Vulnerability: CVE description](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-40-320.jpg)
![Grafeas metadata store
{
"name" :
"projects/provider_example/notes/test" ,
"shortDescription" : "A brief
description of the note" ,
"longDescription" : "A longer
description of the note" ,
"kind": "VULNERABILITY" ,
"vulnerability" : {
"details": [
{
"package": "libexempi3",
"cpeUri":
"cpe:/o:debian:debian_linux:7" ,
"minAffectedVersion" : {
"name": "2.5.7",
"revision": "1",
"kind": "NORMAL"
},
}]
}
}
● Notes
- High level piece of metadata
- Vulnerability: CVE description
& details](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-41-320.jpg)
![Grafeas metadata store
{
"name" :
"projects/provider_example/notes/test" ,
"shortDescription" : "A brief
description of the note" ,
"longDescription" : "A longer
description of the note" ,
"kind": "VULNERABILITY" ,
"vulnerability" : {
"details": [
{
"package": "libexempi3",
"cpeUri":
"cpe:/o:debian:debian_linux:7" ,
"minAffectedVersion" : {
"name": "2.5.7",
"revision": "1",
"kind": "NORMAL"
},
}]
}
}
● Notes
- High level piece of metadata
- Vulnerability: CVE description
& details](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-42-320.jpg)
![Grafeas metadata store
{
"name" :
"projects/provider_example/notes/test" ,
"shortDescription" : "A brief
description of the note" ,
"longDescription" : "A longer
description of the note" ,
"kind": "VULNERABILITY" ,
"vulnerability" : {
"details": [
{
"package": "libexempi3",
"cpeUri":
"cpe:/o:debian:debian_linux:7" ,
"minAffectedVersion" : {
"name": "2.5.7",
"revision": "1",
"kind": "NORMAL"
},
}]
}
}
● Notes
- High level piece of metadata
- Vulnerability: CVE description
& details
- Attestation: attestation authority
- Deployment
- Build history
- And more!](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-44-320.jpg)
![Grafeas metadata store
● Notes
● Occurrences
- Instantiation of a note
{
"name": "projects/occurrence_example/occurrences/test",
"resource": {
"uri": "https://gcr.io/project/image@sha256:foo",
},
"noteName": "projects/provider_example/notes/test",
"kind": "VULNERABILITY",
"vulnerability": {
"packageIssue": [
{
"affectedLocation": {
"cpeUri": "7",
"package": "a",
"version": {
"name": "v1.1.1",
"kind": "NORMAL",
"revision": "r"
}
},
"fixedLocation": {
"cpeUri": "cpe:/o:debian:debian_linux:7",
"package": "a",
"version": {
"name": "namestring",
"kind": "NORMAL",
"revision": "1"
}
}
}
]
}
}](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-45-320.jpg)
![Grafeas metadata store
{
"name": "projects/occurrence_example/occurrences/test",
"resource": {
"uri": "https://gcr.io/project/image@sha256:foo",
},
"noteName": "projects/provider_example/notes/test",
"kind": "VULNERABILITY",
"vulnerability": {
"packageIssue": [
{
"affectedLocation": {
"cpeUri": "7",
"package": "a",
"version": {
"name": "v1.1.1",
"kind": "NORMAL",
"revision": "r"
}
},
"fixedLocation": {
"cpeUri": "cpe:/o:debian:debian_linux:7",
"package": "a",
"version": {
"name": "namestring",
"kind": "NORMAL",
"revision": "1"
}
}
}
]
}
}
● Notes
● Occurrences
- Instantiation of a note](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-46-320.jpg)
![Grafeas metadata store
{
"name": "projects/occurrence_example/occurrences/test",
"resource": {
"uri": "https://gcr.io/project/image@sha256:foo",
},
"noteName": "projects/provider_example/notes/test",
"kind": "VULNERABILITY",
"vulnerability": {
"packageIssue": [
{
"affectedLocation": {
"cpeUri": "7",
"package": "a",
"version": {
"name": "v1.1.1",
"kind": "NORMAL",
"revision": "r"
}
},
"fixedLocation": {
"cpeUri": "cpe:/o:debian:debian_linux:7",
"package": "a",
"version": {
"name": "namestring",
"kind": "NORMAL",
"revision": "1"
}
}
}
]
}
}
● Notes
● Occurrences
- Instantiation of a note](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-47-320.jpg)
![Grafeas metadata store
{
"name": "projects/occurrence_example/occurrences/test",
"resource": {
"uri": "https://gcr.io/project/image@sha256:foo",
},
"noteName": "projects/provider_example/notes/test",
"kind": "VULNERABILITY",
"vulnerability": {
"packageIssue": [
{
"affectedLocation": {
"cpeUri": "7",
"package": "a",
"version": {
"name": "v1.1.1",
"kind": "NORMAL",
"revision": "r"
}
},
"fixedLocation": {
"cpeUri": "cpe:/o:debian:debian_linux:7",
"package": "a",
"version": {
"name": "namestring",
"kind": "NORMAL",
"revision": "1"
}
}
}
]
}
}
● Notes
● Occurrences
- Instantiation of a note
- Package where vulnerability was
found](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-48-320.jpg)
![Grafeas metadata store
{
"name": "projects/occurrence_example/occurrences/test",
"resource": {
"uri": "https://gcr.io/project/image@sha256:foo",
},
"noteName": "projects/provider_example/notes/test",
"kind": "VULNERABILITY",
"vulnerability": {
"packageIssue": [
{
"affectedLocation": {
"cpeUri": "7",
"package": "a",
"version": {
"name": "v1.1.1",
"kind": "NORMAL",
"revision": "r"
}
},
"fixedLocation": {
"cpeUri": "cpe:/o:debian:debian_linux:7",
"package": "a",
"version": {
"name": "namestring",
"kind": "NORMAL",
"revision": "1"
}
}
}
]
}
}
● Notes
● Occurrences
- Instantiation of a note
- Package where vulnerability was
found
- Remediation](https://image.slidesharecdn.com/kubecon-2019-grafeas-kritis-191216200251/85/Binary-Authorization-in-Kubernetes-49-320.jpg)
Uploaded byAysylu Greenberg
Binary Authorization in Kubernetes
The document discusses the importance of binary authorization in Kubernetes to enhance security by ensuring that only trusted images are deployed in a cluster. It introduces the Kritis tool as an admission controller for policy enforcement, limiting image deployment based on security criteria and vulnerability assessments. Additionally, it covers the Grafeas metadata store for managing vulnerabilities and attestation authorities, along with examples of image security policies.
More Related Content
Similar to Binary Authorization in Kubernetes
Binary Authorization in Kubernetes
- 2. Aysylu Greenberg, Google LironLevin, Palo Alto Networks Binary Authorization in Kubernetes
- 3. Who are we AysyluGreenberg Sr Software Engineer @ Google Eng Lead of open-source Grafeas and Kritis @aysylu22 Liron Levin Chief software architect @ Prisma Cloud Compute Grafeas and Kritis contributor
- 4. Today ● Why weneed binary authorization
- 5. Today ● Why weneed binary authorization ● Improve the security posture of your k8s cluster
- 6. Today ● Why weneed binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies
- 7. Today ● Why weneed binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies ● Have fun and see cool demos
- 8.
- 9. Software supply chain Build& Test (CI/CD) Code
- 10. Software supply chain Build& Test (CI/CD) Code Deploy
- 11. Software supply chain- reality
- 12. Software supply chain- reality ● Which images are deployed right now?
- 13. Software supply chain- reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests
- 14. Software supply chain- reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests ● Does vulnerability CVE-2017-5638 (Equifax, apache struts RCE) impact production images?
- 15. Software supply chain Build& Test (CI/CD) Code Deploy
- 16. Software supply chain Build& Test (CI/CD) Code DeployAuthorize
- 17. Binary authorization -use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
- 18. Binary authorization -use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
- 19. Binary authorization -use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) ● Continuously monitor our inventory https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
- 20.
- 21.
- 22.
- 23.
- 24.
- 25. Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Kritis Create a pod
- 26. Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Validation webhook Kritis Create a pod Validate pod Admission webhooks receive admission requests and do something with them.
- 27. Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Create a pod Validate pod
- 28. Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
- 29. Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Kritis policy is a CRD.
- 30. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081
- 31. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 The Custom Resource Definition. Supported values: ImageSecurityPolicy GenericAttestationPolicy
- 32. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow deploying images signed by ‘kritis-authority’ to allow previously admitted images be re-admitted on pod restart
- 33. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow specific external/infrastructure images
- 34. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Constraint on vulnerability: vuln severity <= policy severity
- 35. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Carefully whitelist specific vulnerabilities
- 36. Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod
- 37. Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas
- 38. Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Uniform way to audit your software supply chain
- 39. Grafeas metadata store ●Notes - High level piece of metadata { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } }
- 40. Grafeas metadata store { "name": "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description
- 41. Grafeas metadata store { "name": "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
- 42. Grafeas metadata store { "name": "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
- 43. Grafeas metadata store { "name": "projects/image-signing/notes/product ion", "shortDescription":"Production image signer", "longDescription": "Production image signer", "kind": "ATTESTATION_AUTHORITY" , "attestationAuthority": { "hint": { "humanReadableName": "production" } } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority
- 44. Grafeas metadata store { "name": "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority - Deployment - Build history - And more!
- 45. Grafeas metadata store ●Notes ● Occurrences - Instantiation of a note { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } }
- 46. Grafeas metadata store { "name":"projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
- 47. Grafeas metadata store { "name":"projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
- 48. Grafeas metadata store { "name":"projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found
- 49. Grafeas metadata store { "name":"projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found - Remediation
- 50. Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API
- 51. Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
- 52. Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB Who pushes security data to Grafeas?
- 53. Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
- 54.
- 55.
- 56. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community
- 57. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community License Test StaticAnalysis InTotoLinkAttestation
- 58. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0
- 59. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership
- 60. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language
- 61. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language ■ Maintenance of the reference server v1.0
- 62. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis
- 63. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis
- 64. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis
- 65. Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis ○ More expressive policies based on stored metadata
- 66. References ● Deploy standaloneKritis + Grafeas in GKE ● Grafeas: github.com/grafeas/grafeas ● Kritis github repo: github.com/grafeas/kritis ● Mailing lists @googlegroups.com: ○ grafeas-users ○ grafeas-dev ○ kritis-users ● @Grafeasio