Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Software Supply Chain Management with Grafeas and Kritis Aysylu Greenberg May 20 2019 @aysylu22
Software Supply Chain with Grafeas & Kritis Build & Deploy
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, anal...
Grafeas & Kritis Binary Authorization Container Registry Vulnerability Scanning
Grafeas: Artifact Metadata API
Grafeas: Artifact Metadata API = images, binaries, packages...
Grafeas: Artifact Metadata API = build, deployment, vulnerability, ...
Grafeas: Artifact Metadata API = store & retrieve metadata about artifacts
Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE...
Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE...
Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence
Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence
Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence ● Kind specific schemas
Grafeas: Deployment Note // An artifact that can be deployed in some runtime. message DeploymentNote { // Required. Resour...
Grafeas: Deployment Occurrence // The period during which some deployable was active in a runtime. message DeploymentOccur...
Grafeas Open artifact metadata standard with contributions from the industry Audit and govern your software supply chain K...
Kritis: Deploy-Time Policy Verifier
Let's deploy our e-commerce website...
Kritis: Admission Flow $ kubectl apply site.yaml
Kritis: Admission Flow kubectl apply site.yaml
Kritis: Admission Flow k8s kubectl apply site.yaml
Kritis: Admission Flow k8sKritis kubectl apply site.yaml
Kritis: Admission Flow k8sKritis kubectl apply site.yaml $ helm install <path>/kritis-charts-0.1.0.tgz
Kritis: Admission Flow kubectl apply site.yaml k8s Pod spec 1. Admission Request Kritis
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Oh no! Vulnerability scan isn't finished...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Vulnerability scanning is finished! CVE-2019-5514 is found...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Whitelist CVE-2019-5514 because it doesn't affect the website...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
It's time to scale up your site! $ kubectl scale deployments/site --replicas=4
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
A new vulnerability is found during scale up... CVE-2019-9919
vuln Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns...
Kritis attestations to the rescue...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod...
Discovering new vulnerabilities in admitted containers ...
Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:pro...
Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:pro...
Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:pro...
Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:pro...
Kritis Terminology ● Custom Resource Definitions (CRDs) ○ Extension of k8s API ○ Used to store enforcement policies as k8s...
ImageSecurityPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp spec: image...
Kritis Open source, built with the community Plugs into the k8s admission controller Ensure vulnerability scanning before ...
Coming soon... 0.1.0
Goals Enable users to start experimenting with Kritis and Grafeas Move towards hybrid-cloud support Gather community feedb...
0.1.0 Scope Standalone Kritis on Kubernetes with standalone Grafeas
0.1.0User Journeys Allow deployment of a container to Kubernetes cluster Block deployment of an unadmitted container to th...
● Grafeas: ○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic su...
● Grafeas: ○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic su...
Learn more and follow along! github.com/grafeas/{grafeas,kritis} Google Groups: {grafeas,kritis}-users, grafeas-dev @grafe...
Upcoming SlideShare
Loading in …5
×

Software Supply Chain Management with Grafeas and Kritis

255 views

Published on

Software Supply Chain is a collective term used to describe the continuous integration and delivery pipelines. In addition, it refers to the observability tools that track what happens to a piece of code from the moment it’s in the source code to when it gets deployed, and everywhere in between. Grafeas is an open-source artifact metadata API to audit and govern your software supply chain. It's built as an industry standard for storing and retrieving metadata about software resources. Kritis is an open-source solution for securing your software supply chain for Kubernetes applications. It enforces deploy-time security policies using Grafeas.

This talk will discuss the goals for each of the two open source projects, dive into the examples of how they can be used to secure your company's software supply chain, and conclude with the details of current and future development.

Published in: Software
no profile picture user

  • Be the first to comment

  • Be the first to like this

Software Supply Chain Management with Grafeas and Kritis

  1. 1. Software Supply Chain Management with Grafeas and Kritis Aysylu Greenberg May 20 2019 @aysylu22
  2. 2. Software Supply Chain with Grafeas & Kritis Build & Deploy
  3. 3. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy
  4. 4. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks
  5. 5. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Grafeas backed storage vulnerabilities, build info, etc.
  6. 6. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Kritis Admission controller Grafeas backed storage vulnerabilities, build info, etc.
  7. 7. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Kritis Admission controller Deploy time policy chokepoint Enforce policies for severity of vulnerabilities, image location, etc. Grafeas backed storage vulnerabilities, build info, etc.
  8. 8. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Kritis Admission controller Deploy time policy chokepoint Enforce policies for severity of vulnerabilities, image location, etc. Production Grafeas backed storage vulnerabilities, build info, etc.
  9. 9. Software Supply Chain with Grafeas & Kritis CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Grafeas backed storage vulnerabilities, build info, etc. Centralized metadata knowledge base Kritis Admission controller Deploy time policy chokepoint Enforce policies for severity of vulnerabilities, image location, etc. Production
  10. 10. Grafeas & Kritis Binary Authorization Container Registry Vulnerability Scanning
  11. 11. Grafeas: Artifact Metadata API
  12. 12. Grafeas: Artifact Metadata API = images, binaries, packages...
  13. 13. Grafeas: Artifact Metadata API = build, deployment, vulnerability, ...
  14. 14. Grafeas: Artifact Metadata API = store & retrieve metadata about artifacts
  15. 15. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note
  16. 16. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note ● Occurrences: instance of note in an artifact ○ e.g. CVE presence in an image
  17. 17. Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence
  18. 18. Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence
  19. 19. Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence ● Kind specific schemas
  20. 20. Grafeas: Deployment Note // An artifact that can be deployed in some runtime. message DeploymentNote { // Required. Resource URI for the artifact being deployed. repeated string resource_uri = 1; }
  21. 21. Grafeas: Deployment Occurrence // The period during which some deployable was active in a runtime. message DeploymentOccurrence { // Identity of the user that triggered this deployment. string user_email = 1; // Required. Beginning of the lifetime of this deployment. google.protobuf.Timestamp deploy_time = 2; // Output only. Resource URI for the artifact being deployed taken from the deployable field with the same name. repeated string resource_uri = 6; ...}
  22. 22. Grafeas Open artifact metadata standard with contributions from the industry Audit and govern your software supply chain Knowledge base for on-premises and cloud clusters API with pluggable storage backendsgithub.com/grafeas/grafeas grafeas-users@googlegroups.com grafeas-dev@googlegroups.com @Grafeasio
  23. 23. Kritis: Deploy-Time Policy Verifier
  24. 24. Let's deploy our e-commerce website...
  25. 25. Kritis: Admission Flow $ kubectl apply site.yaml
  26. 26. Kritis: Admission Flow kubectl apply site.yaml
  27. 27. Kritis: Admission Flow k8s kubectl apply site.yaml
  28. 28. Kritis: Admission Flow k8sKritis kubectl apply site.yaml
  29. 29. Kritis: Admission Flow k8sKritis kubectl apply site.yaml $ helm install <path>/kritis-charts-0.1.0.tgz
  30. 30. Kritis: Admission Flow kubectl apply site.yaml k8s Pod spec 1. Admission Request Kritis
  31. 31. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis
  32. 32. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review
  33. 33. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies
  34. 34. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD
  35. 35. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator
  36. 36. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas
  37. 37. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas
  38. 38. Oh no! Vulnerability scan isn't finished...
  39. 39. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 a) denied 4 a) denied
  40. 40. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 a) denied 4 a) denied Pod
  41. 41. Vulnerability scanning is finished! CVE-2019-5514 is found...
  42. 42. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln
  43. 43. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 a) denied Pod vuln
  44. 44. Whitelist CVE-2019-5514 because it doesn't affect the website...
  45. 45. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln
  46. 46. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 b) admitted4 b) admitted Pod vuln
  47. 47. It's time to scale up your site! $ kubectl scale deployments/site --replicas=4
  48. 48. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas Pod PodPod Pod vuln
  49. 49. A new vulnerability is found during scale up... CVE-2019-9919
  50. 50. vuln Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas Pod PodPod Pod CVE-2019-9919
  51. 51. Kritis attestations to the rescue...
  52. 52. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 b) admitted4 b) admitted Pod vuln
  53. 53. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD vuln
  54. 54. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images vuln
  55. 55. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation
  56. 56. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod
  57. 57. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod CVE-2019-9919
  58. 58. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod CVE-2019-9919 6. Fetch attestations for admitted image
  59. 59. Kritis: Admission Flow kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod CVE-2019-9919 6. Fetch attestations for admitted image Pod Pod 7. admitted
  60. 60. Discovering new vulnerabilities in admitted containers ...
  61. 61. Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod 6. Fetch attestations for admitted image Pod Pod 7. admitted
  62. 62. Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod 6. Fetch attestations for admitted image Pod Pod Background Cron 7. admitted
  63. 63. Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod 6. Fetch attestations for admitted image Pod Pod Background Cron 7. admitted
  64. 64. Kritis: Background Cron kubectl apply site.yaml k8s WebHook Pod spec 1. Admission Request Kritis 2. review Policies ns:prod Image Security Policy CRD ns:qa Image Security Policy CRD ns:prod Image Security Policy CRD Image Security Validator 3. Fetch metadata Grafeas vuln 4 b) admitted4 b) admitted Pod Attestor Attestation Authority CRD 5. Store attestations for admitted images attestation Pod 6. Fetch attestations for admitted image Pod Pod Background Cron 7. admitted
  65. 65. Kritis Terminology ● Custom Resource Definitions (CRDs) ○ Extension of k8s API ○ Used to store enforcement policies as k8s objects ● Validating Admission Webhook ○ HTTP callbacks receive admission request: accept/reject to enforce custom admission policies
  66. 66. ImageSecurityPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp spec: imageWhitelist: - gcr.io/kritis-int-test/nginx-digest-whitelist:latest packageVulnerabilityRequirements: maximumSeverity: MEDIUM whitelistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081
  67. 67. Kritis Open source, built with the community Plugs into the k8s admission controller Ensure vulnerability scanning before deployment Attest images and verify before deployment Apply consistent deploy policy across k8s environmentsgithub.com/grafeas/kritis kritis-users@googlegroups.com
  68. 68. Coming soon... 0.1.0
  69. 69. Goals Enable users to start experimenting with Kritis and Grafeas Move towards hybrid-cloud support Gather community feedback 0.1.0
  70. 70. 0.1.0 Scope Standalone Kritis on Kubernetes with standalone Grafeas
  71. 71. 0.1.0User Journeys Allow deployment of a container to Kubernetes cluster Block deployment of an unadmitted container to the cluster
  72. 72. ● Grafeas: ○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic support for Go client library Features 0.1.0
  73. 73. ● Grafeas: ○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic support for Go client library ● Kritis: ○ GenericAttestationPolicy ○ Default admittance fallback policy is well-defined ○ Configurable Features 0.1.0
  74. 74. Learn more and follow along! github.com/grafeas/{grafeas,kritis} Google Groups: {grafeas,kritis}-users, grafeas-dev @grafeasio Gracias! 0.1.0

×