Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Software Supply Chain Management with Grafeas and Kritis Aysylu Greenberg May 8 2019 Photo via https://www.goodfreephotos....
Aysylu Greenberg
Aysylu Greenberg - Sr Software Engineer @Google
Aysylu Greenberg - Sr Software Engineer @Google - Eng Lead of open-source Grafeas and Kritis
Aysylu Greenberg - Sr Software Engineer @Google - Eng Lead of open-source Grafeas and Kritis - @aysylu22
In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
Google runs in containers In any given week, we launch over two billion containers.
Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA CI pipeli...
Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA CD pipeli...
Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
Software Supply Chain Management what happens to code from source to deployment? Code Checkin Test & Verification Write co...
Software Supply Chain Management what happens to code from source to deployment? CI/CD pipelines, observability tools Code...
Software Supply Chain with Grafeas & Kritis Build & Deploy
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Grafeas & Kritis Binary Authorization Container Registry Vulnerability Scanning
In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
Kritis Code Checkin Test & Verification Write code Build Image Deploy to Production QA github.com/grafeas/kritis
Let's deploy our e-commerce website...
Kritis: Admission Flow $ kubectl apply site.yaml
Kritis: Admission Flow kubectl apply site.yaml
Kritis: Admission Flow k8s kubectl apply site.yaml
Kritis: Admission Flow k8sKritis kubectl apply site.yaml
Kritis: Admission Flow k8sKritis kubectl apply site.yaml $ helm install <path>/kritis-charts-0.1.0.tgz
Kritis: Admission Flow kubectl apply site.yaml k8s Pod spec 1. Admission Request Kritis
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Oh no! Vulnerability scan isn't finished...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Vulnerability scanning is finished! CVE-2019-5514 is found...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Whitelist CVE-2019-5514 because it doesn't affect the website...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
It's time to scale up your site! $ kubectl scale deployments/site --replicas=4
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
A new vulnerability is found during scale up... CVE-2019-9919
vuln Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns...
Kritis attestations to the rescue...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Discovering new vulnerabilities in admitted containers ...
Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:pro...
Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:pro...
Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:pro...
Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:pro...
Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations
Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations ● Cus...
Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations ● Cus...
GenericAttestationPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: GenericAttestationPolicy metadata: name: my-gap s...
AttestationAuthority CRD apiVersion: kritis.grafeas.io/v1beta1 kind: AttestationAuthority metadata: name: my-attestor spec...
ImageSecurityPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp spec: image...
Kritis Open source, built with the community Plugs into the k8s admission controller Ensure vulnerability scanning before ...
In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
Grafeas Code Checkin Test & Verification Write code Build Image Deploy to Production QA github.com/grafeas/grafeas
Grafeas: Artifact Metadata API
Grafeas: Artifact Metadata API = images, binaries, packages...
Grafeas: Artifact Metadata API = build, deployment, vulnerability, ...
Grafeas: Artifact Metadata API = store & retrieve metadata about artifacts
Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE...
Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE...
Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE...
Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE...
Grafeas: Providers and Consumers Grafeas
Grafeas: Providers and Consumers Vulnerability Scanning Grafeas
Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Notes (CVEs) Grafeas
Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Ocurrences for containers Store vulnerability ...
Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Ocurrences for containers Store vulnerability ...
Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Ocurrences for containers Store vulnerability ...
Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence
Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence
Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence ● Kind specific schemas
Grafeas: Deployment Note // An artifact that can be deployed in some runtime. message DeploymentNote { // Required. Resour...
Grafeas: Deployment Occurrence // The period during which some deployable was active in a runtime. message DeploymentOccur...
Grafeas: Architecture
Grafeas Open artifact metadata standard with contributions from the industry Audit and govern your software supply chain K...
In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
Coming soon... 0.1.0
Goals Enable users to start experimenting with Kritis and Grafeas Move towards hybrid-cloud support Gather community feedb...
0.1.0 Scope Standalone Kritis on Kubernetes with standalone Grafeas
0.1.0 User Journeys Allow deployment of a container to Kubernetes cluster Block deployment of a unadmitted container to th...
● Grafeas: ○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic su...
● Grafeas: ○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic su...
Learn more and follow along! github.com/grafeas/{grafeas,kritis} Google Groups: {grafeas,kritis}-users, grafeas-dev @grafe...
Upcoming SlideShare
Loading in …5
×

Software Supply Chain Management with Grafeas and Kritis

375 views

Published on

Software Supply Chain is a collective term used to describe the continuous integration and delivery pipelines. In addition, it refers to the observability tools that track what happens to a piece of code from the moment it’s in the source code to when it gets deployed, and everywhere in between. Grafeas is an open-source artifact metadata API to audit and govern your software supply chain. It's built as an industry standard for storing and retrieving metadata about software resources. Kritis is an open-source solution for securing your software supply chain for Kubernetes applications. It enforces deploy-time security policies using Grafeas.

This talk will discuss the goals for each of the two open source projects, dive into the examples of how they can be used to secure your company's software supply chain, and conclude with the details of current and future development.

Published in: Software
no profile picture user

  • Be the first to comment

Software Supply Chain Management with Grafeas and Kritis

  1. 1. Software Supply Chain Management with Grafeas and Kritis Aysylu Greenberg May 8 2019 Photo via https://www.goodfreephotos.com/
  2. 2. Aysylu Greenberg
  3. 3. Aysylu Greenberg - Sr Software Engineer @Google
  4. 4. Aysylu Greenberg - Sr Software Engineer @Google - Eng Lead of open-source Grafeas and Kritis
  5. 5. Aysylu Greenberg - Sr Software Engineer @Google - Eng Lead of open-source Grafeas and Kritis - @aysylu22
  6. 6. In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
  7. 7. In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
  8. 8. Google runs in containers In any given week, we launch over two billion containers.
  9. 9. Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
  10. 10. Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
  11. 11. Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
  12. 12. Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
  13. 13. Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA CI pipelines
  14. 14. Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
  15. 15. Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA CD pipelines
  16. 16. Software Supply Chain Management Code Checkin Test & Verification Write code Build Image Deploy to Production QA
  17. 17. Software Supply Chain Management what happens to code from source to deployment? Code Checkin Test & Verification Write code Build Image Deploy to Production QA
  18. 18. Software Supply Chain Management what happens to code from source to deployment? CI/CD pipelines, observability tools Code Checkin Test & Verification Write code Build Image Deploy to Production QA
  19. 19. Software Supply Chain with Grafeas & Kritis Build & Deploy
  20. 20. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy
  21. 21. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks
  22. 22. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Grafeas backed storage vulnerabilities, build info, etc.
  23. 23. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Kritis Admission controller Grafeas backed storage vulnerabilities, build info, etc.
  24. 24. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Kritis Admission controller Deploy time policy chokepoint Enforce policies for severity of vulnerabilities, image location, etc. Grafeas backed storage vulnerabilities, build info, etc.
  25. 25. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Kritis Admission controller Deploy time policy chokepoint Enforce policies for severity of vulnerabilities, image location, etc. Production Grafeas backed storage vulnerabilities, build info, etc.
  26. 26. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Grafeas backed storage vulnerabilities, build info, etc. Centralized metadata knowledge base Kritis Admission controller Deploy time policy chokepoint Enforce policies for severity of vulnerabilities, image location, etc. Production
  27. 27. Grafeas & Kritis Binary Authorization Container Registry Vulnerability Scanning
  28. 28. In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
  29. 29. In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
  30. 30. Kritis Code Checkin Test & Verification Write code Build Image Deploy to Production QA github.com/grafeas/kritis
  31. 31. Let's deploy our e-commerce website...
  32. 32. Kritis: Admission Flow $ kubectl apply site.yaml
  33. 33. Kritis: Admission Flow kubectl apply site.yaml
  34. 34. Kritis: Admission Flow k8s kubectl apply site.yaml
  35. 35. Kritis: Admission Flow k8sKritis kubectl apply site.yaml
  36. 36. Kritis: Admission Flow k8sKritis kubectl apply site.yaml $ helm install <path>/kritis-charts-0.1.0.tgz
  37. 37. Kritis: Admission Flow kubectl apply site.yaml k8s Pod spec 1. Admission Request Kritis
  38. 38. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis
  39. 39. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis
  40. 40. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review
  41. 41. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies
  42. 42. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD
  43. 43. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator
  44. 44. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas
  45. 45. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas
  46. 46. Oh no! Vulnerability scan isn't finished...
  47. 47. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 a) denied 4 a) denied
  48. 48. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 a) denied 4 a) denied Pod
  49. 49. Vulnerability scanning is finished! CVE-2019-5514 is found...
  50. 50. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln
  51. 51. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 a) denied Pod vuln
  52. 52. Whitelist CVE-2019-5514 because it doesn't affect the website...
  53. 53. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln
  54. 54. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 b) admitted4 b) admitted Pod vuln
  55. 55. It's time to scale up your site! $ kubectl scale deployments/site --replicas=4
  56. 56. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas Pod PodPod Pod vuln
  57. 57. A new vulnerability is found during scale up... CVE-2019-9919
  58. 58. vuln Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas Pod PodPod Pod CVE-2019-9919
  59. 59. Kritis attestations to the rescue...
  60. 60. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 b) admitted4 b) admitted Pod vuln
  61. 61. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD vuln
  62. 62. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images vuln
  63. 63. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation
  64. 64. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod
  65. 65. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod CVE-2019-9919
  66. 66. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod CVE-2019-9919 6. Fetch attestations for admitted image
  67. 67. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod CVE-2019-9919 6. Fetch attestations for admitted image Pod Pod 7. admitted
  68. 68. Discovering new vulnerabilities in admitted containers ...
  69. 69. Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod 6. Fetch attestations for admitted image Pod Pod 7. admitted
  70. 70. Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod 6. Fetch attestations for admitted image Pod Pod Background Cron 7. admitted
  71. 71. Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod 6. Fetch attestations for admitted image Pod Pod Background Cron 7. admitted
  72. 72. Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod 6. Fetch attestations for admitted image Pod Pod Background Cron 7. admitted
  73. 73. Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations
  74. 74. Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations ● Custom Resource Definitions (CRDs) ○ Extension of k8s API ○ Used to store enforcement policies as k8s objects
  75. 75. Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations ● Custom Resource Definitions (CRDs) ○ Extension of k8s API ○ Used to store enforcement policies as k8s objects ● Validating Admission Webhook ○ HTTP callbacks receive admission request: accept/reject to enforce custom admission policies
  76. 76. GenericAttestationPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: GenericAttestationPolicy metadata: name: my-gap spec: attestationAuthorities: - my-attestor - deploy-attestor
  77. 77. AttestationAuthority CRD apiVersion: kritis.grafeas.io/v1beta1 kind: AttestationAuthority metadata: name: my-attestor spec: privateKeySecretName: my-kubernetes-secret publicData: “-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFvJLhwBCADCiNJAJkFUwYrH=vmny ... -----END PGP PUBLIC KEY BLOCK-----” noteReference: v1beta1/projects/my-project
  78. 78. ImageSecurityPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp spec: imageWhitelist: - gcr.io/kritis-int-test/nginx-digest-whitelist:latest packageVulnerabilityRequirements: maximumSeverity: MEDIUM whitelistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081
  79. 79. Kritis Open source, built with the community Plugs into the k8s admission controller Ensure vulnerability scanning before deployment Attest images and verify before deployment Apply consistent deploy policy across k8s environmentsgithub.com/grafeas/kritis kritis-users@googlegroups.com
  80. 80. In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
  81. 81. In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
  82. 82. Grafeas Code Checkin Test & Verification Write code Build Image Deploy to Production QA github.com/grafeas/grafeas
  83. 83. Grafeas: Artifact Metadata API
  84. 84. Grafeas: Artifact Metadata API = images, binaries, packages...
  85. 85. Grafeas: Artifact Metadata API = build, deployment, vulnerability, ...
  86. 86. Grafeas: Artifact Metadata API = store & retrieve metadata about artifacts
  87. 87. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note
  88. 88. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note ● Occurrences: instance of note in an artifact ○ e.g. CVE presence in an image
  89. 89. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note ● Occurrences: instance of note in an artifact ○ e.g. CVE presence in an image ● Providers and Consumers
  90. 90. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note ● Occurrences: instance of note in an artifact ○ e.g. CVE presence in an image ● Providers and Consumers
  91. 91. Grafeas: Providers and Consumers Grafeas
  92. 92. Grafeas: Providers and Consumers Vulnerability Scanning Grafeas
  93. 93. Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Notes (CVEs) Grafeas
  94. 94. Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Ocurrences for containers Store vulnerability Notes (CVEs) Grafeas
  95. 95. Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Ocurrences for containers Store vulnerability Notes (CVEs) Kritis Grafeas
  96. 96. Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Ocurrences for containers Store vulnerability Notes (CVEs) Kritis Read vulnerability Occurrences for container Grafeas
  97. 97. Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence
  98. 98. Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence
  99. 99. Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence ● Kind specific schemas
  100. 100. Grafeas: Deployment Note // An artifact that can be deployed in some runtime. message DeploymentNote { // Required. Resource URI for the artifact being deployed. repeated string resource_uri = 1; }
  101. 101. Grafeas: Deployment Occurrence // The period during which some deployable was active in a runtime. message DeploymentOccurrence { // Identity of the user that triggered this deployment. string user_email = 1; // Required. Beginning of the lifetime of this deployment. google.protobuf.Timestamp deploy_time = 2; // Output only. Resource URI for the artifact being deployed taken from the deployable field with the same name. repeated string resource_uri = 6; ...}
  102. 102. Grafeas: Architecture
  103. 103. Grafeas Open artifact metadata standard with contributions from the industry Audit and govern your software supply chain Knowledge base for on-premises and cloud clusters API with pluggable storage backendsgithub.com/grafeas/grafeas grafeas-users@googlegroups.com grafeas-dev@googlegroups.com @Grafeasio
  104. 104. In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
  105. 105. In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0 1 2 3 4
  106. 106. Coming soon... 0.1.0
  107. 107. Goals Enable users to start experimenting with Kritis and Grafeas Move towards hybrid-cloud support Gather community feedback 0.1.0
  108. 108. 0.1.0 Scope Standalone Kritis on Kubernetes with standalone Grafeas
  109. 109. 0.1.0 User Journeys Allow deployment of a container to Kubernetes cluster Block deployment of a unadmitted container to the cluster
  110. 110. ● Grafeas: ○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic support for Go client library Features 0.1.0
  111. 111. ● Grafeas: ○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic support for Go client library ● Kritis: ○ GenericAttestationPolicy ○ Default admittance fallback policy is well-defined ○ Configurable Features 0.1.0
  112. 112. Learn more and follow along! github.com/grafeas/{grafeas,kritis} Google Groups: {grafeas,kritis}-users, grafeas-dev @grafeasio Obrigada! 0.1.0

×