SlideShare a Scribd company logo

Binary Authorization in Kubernetes

Aysylu Greenberg
Aysylu Greenberg

Kritis is an open-source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies that ensures only trusted container images are deployed on kubernetes to your cluster. With Kritis, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. Kritis enables tighter control over your container environment by ensuring only verified images are integrated into production. Talk outline: - Introduction to the concept of binary authorization - Live demo of using Kritis and Grafeas for deploying images with confidence in Kubernetes - Grafeas and Kritis roadmap At the end, attendees will gain solid understanding on the process of binary authorization and how to incorporate it in their build and deployment pipelines

Software
1 of 66
Download to read offline
Aysylu Greenberg, Google Liron Levin, Palo Alto Networks Binary Authorization in Kubernetes
Who are we Aysylu Greenberg Sr Software Engineer @ Google Eng Lead of open-source Grafeas and Kritis @aysylu22 Liron Levin Chief software architect @ Prisma Cloud Compute Grafeas and Kritis contributor
Today ● Why we need binary authorization
Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster
Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies
Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies ● Have fun and see cool demos
Software supply chain Code
Software supply chain Build & Test (CI/CD) Code
Software supply chain Build & Test (CI/CD) Code Deploy
Software supply chain - reality
Software supply chain - reality ● Which images are deployed right now?
Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests
Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests ● Does vulnerability CVE-2017-5638 (Equifax, apache struts RCE) impact production images?
Software supply chain Build & Test (CI/CD) Code Deploy
Software supply chain Build & Test (CI/CD) Code DeployAuthorize
Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) ● Continuously monitor our inventory https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Open source
Open source
Open source
Pod lifecycle Kubernentes API
Pod lifecycle Kubernentes API Create a pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Kritis Create a pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Kritis Create a pod Validate pod Admission webhooks receive admission requests and do something with them.
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Create a pod Validate pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Kritis policy is a CRD.
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 The Custom Resource Definition. Supported values: ImageSecurityPolicy GenericAttestationPolicy
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow deploying images signed by ‘kritis-authority’ to allow previously admitted images be re-admitted on pod restart
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow specific external/infrastructure images
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Constraint on vulnerability: vuln severity <= policy severity
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Carefully whitelist specific vulnerabilities
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Uniform way to audit your software supply chain
Grafeas metadata store ● Notes - High level piece of metadata { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } }
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
Grafeas metadata store { "name": "projects/image-signing/notes/product ion", "shortDescription": "Production image signer", "longDescription": "Production image signer", "kind": "ATTESTATION_AUTHORITY" , "attestationAuthority": { "hint": { "humanReadableName": "production" } } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority - Deployment - Build history - And more!
Grafeas metadata store ● Notes ● Occurrences - Instantiation of a note { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } }
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found - Remediation
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB Who pushes security data to Grafeas?
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
Demo https://github.com/grafeas/kritis/tree/master/docs/st andalone
Roadmap ● Grafeas
Roadmap ● Grafeas ○ New metadata kinds contributed by the community
Roadmap ● Grafeas ○ New metadata kinds contributed by the community License Test StaticAnalysis InTotoLinkAttestation
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language ■ Maintenance of the reference server v1.0
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis ○ More expressive policies based on stored metadata
References ● Deploy standalone Kritis + Grafeas in GKE ● Grafeas: github.com/grafeas/grafeas ● Kritis github repo: github.com/grafeas/kritis ● Mailing lists @googlegroups.com: ○ grafeas-users ○ grafeas-dev ○ kritis-users ● @Grafeasio

Recommended

Jenkins Tutorial.pdf
Jenkins Tutorial.pdfJenkins Tutorial.pdf
Jenkins Tutorial.pdf
devtestervicky
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Edureka!
 
Delivering Docker & K3s worloads to IoT Edge devices
Delivering Docker & K3s worloads to IoT Edge devicesDelivering Docker & K3s worloads to IoT Edge devices
Delivering Docker & K3s worloads to IoT Edge devices
Ajeet Singh Raina
 
DevOps in AWS with Kubernetes
DevOps in AWS with KubernetesDevOps in AWS with Kubernetes
DevOps in AWS with Kubernetes
Oleg Chunikhin
 
twMVC#44 如何測試與保護你的 web application with playwright
twMVC#44 如何測試與保護你的 web application with playwrighttwMVC#44 如何測試與保護你的 web application with playwright
twMVC#44 如何測試與保護你的 web application with playwright
twMVC
 
EKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud
EKS vs GKE vs AKS - Evaluating Kubernetes in the CloudEKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud
EKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud
DevOps.com
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
NGINX, Inc.
 

Recommended

Jenkins Tutorial.pdf
Jenkins Tutorial.pdfJenkins Tutorial.pdf
Jenkins Tutorial.pdf
devtestervicky
 
Deep dive into Kubernetes Networking
Deep dive into Kubernetes NetworkingDeep dive into Kubernetes Networking
Deep dive into Kubernetes Networking
Sreenivas Makam
 
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Edureka!
 
Delivering Docker & K3s worloads to IoT Edge devices
Delivering Docker & K3s worloads to IoT Edge devicesDelivering Docker & K3s worloads to IoT Edge devices
Delivering Docker & K3s worloads to IoT Edge devices
Ajeet Singh Raina
 
DevOps in AWS with Kubernetes
DevOps in AWS with KubernetesDevOps in AWS with Kubernetes
DevOps in AWS with Kubernetes
Oleg Chunikhin
 
twMVC#44 如何測試與保護你的 web application with playwright
twMVC#44 如何測試與保護你的 web application with playwrighttwMVC#44 如何測試與保護你的 web application with playwright
twMVC#44 如何測試與保護你的 web application with playwright
twMVC
 
EKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud
EKS vs GKE vs AKS - Evaluating Kubernetes in the CloudEKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud
EKS vs GKE vs AKS - Evaluating Kubernetes in the Cloud
DevOps.com
 
NGINX Installation and Tuning
NGINX Installation and TuningNGINX Installation and Tuning
NGINX Installation and Tuning
NGINX, Inc.
 
What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
Simplilearn
 
Jenkins for java world
Jenkins for java worldJenkins for java world
Jenkins for java world
Ashok Kumar
 
Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdf
LibbySchulze
 
Kubernetes #2 monitoring
Kubernetes #2 monitoring Kubernetes #2 monitoring
Kubernetes #2 monitoring
Terry Cho
 
VictoriaMetrics: Welcome to the Virtual Meet Up March 2023
VictoriaMetrics: Welcome to the Virtual Meet Up March 2023VictoriaMetrics: Welcome to the Virtual Meet Up March 2023
VictoriaMetrics: Welcome to the Virtual Meet Up March 2023
VictoriaMetrics
 
Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...
Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...
Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...
Tonny Adhi Sabastian
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
Janakiram MSV
 
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Raffaele Di Fazio
 
Google Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data editionGoogle Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data edition
Daniel Zivkovic
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Phil Estes
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
SeungYong Oh
 
Prometheus Multi Tenancy
Prometheus Multi TenancyPrometheus Multi Tenancy
Prometheus Multi Tenancy
Natan Yellin
 
Azure kubernetes service
Azure kubernetes serviceAzure kubernetes service
Azure kubernetes service
Vishwas N
 
Istio on Kubernetes
Istio on KubernetesIstio on Kubernetes
Istio on Kubernetes
Daneyon Hansen
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Gabriel Carro
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Vietnam Open Infrastructure User Group
 
YAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra KhareYAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra Khare
CodeOps Technologies LLP
 
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
Jo Hoon
 
Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
Sreenivas Makam
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
Oleg Shalygin
 

More Related Content

What's hot

What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
Simplilearn
 
Jenkins for java world
Jenkins for java worldJenkins for java world
Jenkins for java world
Ashok Kumar
 
Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdf
LibbySchulze
 
Kubernetes #2 monitoring
Kubernetes #2 monitoring Kubernetes #2 monitoring
Kubernetes #2 monitoring
Terry Cho
 
VictoriaMetrics: Welcome to the Virtual Meet Up March 2023
VictoriaMetrics: Welcome to the Virtual Meet Up March 2023VictoriaMetrics: Welcome to the Virtual Meet Up March 2023
VictoriaMetrics: Welcome to the Virtual Meet Up March 2023
VictoriaMetrics
 
Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...
Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...
Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...
Tonny Adhi Sabastian
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
Janakiram MSV
 
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Raffaele Di Fazio
 
Google Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data editionGoogle Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data edition
Daniel Zivkovic
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Phil Estes
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
SeungYong Oh
 
Prometheus Multi Tenancy
Prometheus Multi TenancyPrometheus Multi Tenancy
Prometheus Multi Tenancy
Natan Yellin
 
Azure kubernetes service
Azure kubernetes serviceAzure kubernetes service
Azure kubernetes service
Vishwas N
 
Istio on Kubernetes
Istio on KubernetesIstio on Kubernetes
Istio on Kubernetes
Daneyon Hansen
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Gabriel Carro
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Edureka!
 
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Vietnam Open Infrastructure User Group
 
YAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra KhareYAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra Khare
CodeOps Technologies LLP
 
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
Jo Hoon
 

What's hot (20)

What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
What Is Docker? | What Is Docker And How It Works? | Docker Tutorial For Begi...
 
Jenkins for java world
Jenkins for java worldJenkins for java world
Jenkins for java world
 
Running distributed tests with k6.pdf
Running distributed tests with k6.pdfRunning distributed tests with k6.pdf
Running distributed tests with k6.pdf
 
Kubernetes #2 monitoring
Kubernetes #2 monitoring Kubernetes #2 monitoring
Kubernetes #2 monitoring
 
VictoriaMetrics: Welcome to the Virtual Meet Up March 2023
VictoriaMetrics: Welcome to the Virtual Meet Up March 2023VictoriaMetrics: Welcome to the Virtual Meet Up March 2023
VictoriaMetrics: Welcome to the Virtual Meet Up March 2023
 
Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...
Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...
Adopting Open Telemetry as Distributed Tracer on your Microservices at Kubern...
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
 
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Google Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data editionGoogle Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data edition
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
 
Prometheus Multi Tenancy
Prometheus Multi TenancyPrometheus Multi Tenancy
Prometheus Multi Tenancy
 
Azure kubernetes service
Azure kubernetes serviceAzure kubernetes service
Azure kubernetes service
 
Istio on Kubernetes
Istio on KubernetesIstio on Kubernetes
Istio on Kubernetes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
Kubernetes Networking | Kubernetes Services, Pods & Ingress Networks | Kubern...
 
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
Bare Metal Cluster with Kubernetes, Istio and Metallb | Nguyen Phuong An, Ngu...
 
YAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra KhareYAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra Khare
 
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
왜 쿠버네티스는 systemd로 cgroup을 관리하려고 할까요
 

Similar to Binary Authorization in Kubernetes

Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
Sreenivas Makam
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
Oleg Shalygin
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Weaveworks
 
Software Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and KritisSoftware Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and Kritis
Aysylu Greenberg
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
Cloud Native NoVA
 
5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use
DevOps.com
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
Amazon Web Services
 
Software Supply Chains for DevOps @ InfoQ Live 2021
Software Supply Chains for DevOps @ InfoQ Live 2021Software Supply Chains for DevOps @ InfoQ Live 2021
Software Supply Chains for DevOps @ InfoQ Live 2021
Aysylu Greenberg
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Rishabh Indoria
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
Karthik Gaekwad
 
Openstack Third-Party CI and the review of a few Openstack Infrastructure pro...
Openstack Third-Party CI and the review of a few Openstack Infrastructure pro...Openstack Third-Party CI and the review of a few Openstack Infrastructure pro...
Openstack Third-Party CI and the review of a few Openstack Infrastructure pro...
Evgeny Antyshev
 
Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
Agile India
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOps
Brice Fernandes
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDays Riga
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
Jose Manuel Ortega Candel
 
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ... Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
MayaData Inc
 
Docker EE Deep Dive
Docker EE Deep DiveDocker EE Deep Dive
Docker EE Deep Dive
Docker, Inc.
 
Optimizing Your CI Pipelines
Optimizing Your CI PipelinesOptimizing Your CI Pipelines
Optimizing Your CI Pipelines
Sebastian Witowski
 
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexusMicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
Emily Jiang
 

Similar to Binary Authorization in Kubernetes (20)

Top 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKETop 3 reasons why you should run your Enterprise workloads on GKE
Top 3 reasons why you should run your Enterprise workloads on GKE
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityHardening Your CI/CD Pipelines with GitOps and Continuous Security
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
 
Software Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and KritisSoftware Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and Kritis
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
 
5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use5 Kubernetes Security Tools You Should Use
5 Kubernetes Security Tools You Should Use
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Software Supply Chains for DevOps @ InfoQ Live 2021
Software Supply Chains for DevOps @ InfoQ Live 2021Software Supply Chains for DevOps @ InfoQ Live 2021
Software Supply Chains for DevOps @ InfoQ Live 2021
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 
10 tips for Cloud Native Security
10 tips for Cloud Native Security10 tips for Cloud Native Security
10 tips for Cloud Native Security
 
Openstack Third-Party CI and the review of a few Openstack Infrastructure pro...
Openstack Third-Party CI and the review of a few Openstack Infrastructure pro...Openstack Third-Party CI and the review of a few Openstack Infrastructure pro...
Openstack Third-Party CI and the review of a few Openstack Infrastructure pro...
 
Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...Security considerations while deploying Containerized Applications by Neepend...
Security considerations while deploying Containerized Applications by Neepend...
 
Speeding up your team with GitOps
Speeding up your team with GitOpsSpeeding up your team with GitOps
Speeding up your team with GitOps
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ... Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
Use GitLab with Chaos Engineering to Harden your Applications + OpenEBS 1.3 ...
 
Docker EE Deep Dive
Docker EE Deep DiveDocker EE Deep Dive
Docker EE Deep Dive
 
Optimizing Your CI Pipelines
Optimizing Your CI PipelinesOptimizing Your CI Pipelines
Optimizing Your CI Pipelines
 
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexusMicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
MicroProfile, Docker, Kubernetes, Istio and Open Shift lab @dev nexus
 

More from Aysylu Greenberg

Software Supply Chain Observability with Grafeas and Kritis
Software Supply Chain Observability with Grafeas and KritisSoftware Supply Chain Observability with Grafeas and Kritis
Software Supply Chain Observability with Grafeas and Kritis
Aysylu Greenberg
 
Software Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and KritisSoftware Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and Kritis
Aysylu Greenberg
 
Zero Downtime Migrations at Scale
Zero Downtime Migrations at ScaleZero Downtime Migrations at Scale
Zero Downtime Migrations at Scale
Aysylu Greenberg
 
Zero Downtime Migration
Zero Downtime MigrationZero Downtime Migration
Zero Downtime Migration
Aysylu Greenberg
 
PWL Denver: Copysets
PWL Denver: CopysetsPWL Denver: Copysets
PWL Denver: Copysets
Aysylu Greenberg
 
Distributed systems in practice, in theory (ScaleConf Colombia)
Distributed systems in practice, in theory (ScaleConf Colombia)Distributed systems in practice, in theory (ScaleConf Colombia)
Distributed systems in practice, in theory (ScaleConf Colombia)
Aysylu Greenberg
 
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flightMesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
Aysylu Greenberg
 
Distributed systems in practice, in theory (JAX London)
Distributed systems in practice, in theory (JAX London)Distributed systems in practice, in theory (JAX London)
Distributed systems in practice, in theory (JAX London)
Aysylu Greenberg
 
Building A Distributed Build System at Google Scale (StrangeLoop 2016)
Building A Distributed Build System at Google Scale (StrangeLoop 2016)Building A Distributed Build System at Google Scale (StrangeLoop 2016)
Building A Distributed Build System at Google Scale (StrangeLoop 2016)
Aysylu Greenberg
 
QCon NYC: Distributed systems in practice, in theory
QCon NYC: Distributed systems in practice, in theoryQCon NYC: Distributed systems in practice, in theory
QCon NYC: Distributed systems in practice, in theory
Aysylu Greenberg
 
Building a Distributed Build System at Google Scale
Building a Distributed Build System at Google ScaleBuilding a Distributed Build System at Google Scale
Building a Distributed Build System at Google Scale
Aysylu Greenberg
 
(+ Loom (years 2))
(+ Loom (years 2))(+ Loom (years 2))
(+ Loom (years 2))
Aysylu Greenberg
 
Distributed systems in practice, in theory
Distributed systems in practice, in theoryDistributed systems in practice, in theory
Distributed systems in practice, in theory
Aysylu Greenberg
 
Probabilistic Accuracy Bounds @ Papers We Love SF
Probabilistic Accuracy Bounds @ Papers We Love SFProbabilistic Accuracy Bounds @ Papers We Love SF
Probabilistic Accuracy Bounds @ Papers We Love SF
Aysylu Greenberg
 
Benchmarking (JAXLondon 2015)
Benchmarking (JAXLondon 2015)Benchmarking (JAXLondon 2015)
Benchmarking (JAXLondon 2015)
Aysylu Greenberg
 
Loom & Functional Graphs in Clojure @ LambdaConf 2015
Loom & Functional Graphs in Clojure @ LambdaConf 2015Loom & Functional Graphs in Clojure @ LambdaConf 2015
Loom & Functional Graphs in Clojure @ LambdaConf 2015
Aysylu Greenberg
 
Benchmarking (DevNexus 2015)
Benchmarking (DevNexus 2015)Benchmarking (DevNexus 2015)
Benchmarking (DevNexus 2015)
Aysylu Greenberg
 
Benchmarking (RICON 2014)
Benchmarking (RICON 2014)Benchmarking (RICON 2014)
Benchmarking (RICON 2014)
Aysylu Greenberg
 
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Aysylu Greenberg
 
PWL: One VM to Rule Them All
PWL: One VM to Rule Them AllPWL: One VM to Rule Them All
PWL: One VM to Rule Them All
Aysylu Greenberg
 

More from Aysylu Greenberg (20)

Software Supply Chain Observability with Grafeas and Kritis
Software Supply Chain Observability with Grafeas and KritisSoftware Supply Chain Observability with Grafeas and Kritis
Software Supply Chain Observability with Grafeas and Kritis
 
Software Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and KritisSoftware Supply Chain Management with Grafeas and Kritis
Software Supply Chain Management with Grafeas and Kritis
 
Zero Downtime Migrations at Scale
Zero Downtime Migrations at ScaleZero Downtime Migrations at Scale
Zero Downtime Migrations at Scale
 
Zero Downtime Migration
Zero Downtime MigrationZero Downtime Migration
Zero Downtime Migration
 
PWL Denver: Copysets
PWL Denver: CopysetsPWL Denver: Copysets
PWL Denver: Copysets
 
Distributed systems in practice, in theory (ScaleConf Colombia)
Distributed systems in practice, in theory (ScaleConf Colombia)Distributed systems in practice, in theory (ScaleConf Colombia)
Distributed systems in practice, in theory (ScaleConf Colombia)
 
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flightMesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
 
Distributed systems in practice, in theory (JAX London)
Distributed systems in practice, in theory (JAX London)Distributed systems in practice, in theory (JAX London)
Distributed systems in practice, in theory (JAX London)
 
Building A Distributed Build System at Google Scale (StrangeLoop 2016)
Building A Distributed Build System at Google Scale (StrangeLoop 2016)Building A Distributed Build System at Google Scale (StrangeLoop 2016)
Building A Distributed Build System at Google Scale (StrangeLoop 2016)
 
QCon NYC: Distributed systems in practice, in theory
QCon NYC: Distributed systems in practice, in theoryQCon NYC: Distributed systems in practice, in theory
QCon NYC: Distributed systems in practice, in theory
 
Building a Distributed Build System at Google Scale
Building a Distributed Build System at Google ScaleBuilding a Distributed Build System at Google Scale
Building a Distributed Build System at Google Scale
 
(+ Loom (years 2))
(+ Loom (years 2))(+ Loom (years 2))
(+ Loom (years 2))
 
Distributed systems in practice, in theory
Distributed systems in practice, in theoryDistributed systems in practice, in theory
Distributed systems in practice, in theory
 
Probabilistic Accuracy Bounds @ Papers We Love SF
Probabilistic Accuracy Bounds @ Papers We Love SFProbabilistic Accuracy Bounds @ Papers We Love SF
Probabilistic Accuracy Bounds @ Papers We Love SF
 
Benchmarking (JAXLondon 2015)
Benchmarking (JAXLondon 2015)Benchmarking (JAXLondon 2015)
Benchmarking (JAXLondon 2015)
 
Loom & Functional Graphs in Clojure @ LambdaConf 2015
Loom & Functional Graphs in Clojure @ LambdaConf 2015Loom & Functional Graphs in Clojure @ LambdaConf 2015
Loom & Functional Graphs in Clojure @ LambdaConf 2015
 
Benchmarking (DevNexus 2015)
Benchmarking (DevNexus 2015)Benchmarking (DevNexus 2015)
Benchmarking (DevNexus 2015)
 
Benchmarking (RICON 2014)
Benchmarking (RICON 2014)Benchmarking (RICON 2014)
Benchmarking (RICON 2014)
 
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
 
PWL: One VM to Rule Them All
PWL: One VM to Rule Them AllPWL: One VM to Rule Them All
PWL: One VM to Rule Them All
 

Recently uploaded

Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
ShamsuddeenMuhammadA
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
Globus
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
Alina Yurenko
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 

Recently uploaded (20)

Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
GlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote sessionGlobusWorld 2024 Opening Keynote session
GlobusWorld 2024 Opening Keynote session
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
GOING AOT WITH GRAALVM FOR SPRING BOOT (SPRING IO)
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 

Binary Authorization in Kubernetes

  • 1.
  • 2. Aysylu Greenberg, Google Liron Levin, Palo Alto Networks Binary Authorization in Kubernetes
  • 3. Who are we Aysylu Greenberg Sr Software Engineer @ Google Eng Lead of open-source Grafeas and Kritis @aysylu22 Liron Levin Chief software architect @ Prisma Cloud Compute Grafeas and Kritis contributor
  • 4. Today ● Why we need binary authorization
  • 5. Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster
  • 6. Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies
  • 7. Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies ● Have fun and see cool demos
  • 9. Software supply chain Build & Test (CI/CD) Code
  • 10. Software supply chain Build & Test (CI/CD) Code Deploy
  • 12. Software supply chain - reality ● Which images are deployed right now?
  • 13. Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests
  • 14. Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests ● Does vulnerability CVE-2017-5638 (Equifax, apache struts RCE) impact production images?
  • 15. Software supply chain Build & Test (CI/CD) Code Deploy
  • 16. Software supply chain Build & Test (CI/CD) Code DeployAuthorize
  • 17. Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
  • 18. Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
  • 19. Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) ● Continuously monitor our inventory https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
  • 25. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Kritis Create a pod
  • 26. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Kritis Create a pod Validate pod Admission webhooks receive admission requests and do something with them.
  • 27. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Create a pod Validate pod
  • 28. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
  • 29. Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Kritis policy is a CRD.
  • 30. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081
  • 31. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 The Custom Resource Definition. Supported values: ImageSecurityPolicy GenericAttestationPolicy
  • 32. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow deploying images signed by ‘kritis-authority’ to allow previously admitted images be re-admitted on pod restart
  • 33. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow specific external/infrastructure images
  • 34. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Constraint on vulnerability: vuln severity <= policy severity
  • 35. Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Carefully whitelist specific vulnerabilities
  • 36. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
  • 37. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas
  • 38. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Uniform way to audit your software supply chain
  • 39. Grafeas metadata store ● Notes - High level piece of metadata { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } }
  • 40. Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description
  • 41. Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
  • 42. Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
  • 43. Grafeas metadata store { "name": "projects/image-signing/notes/product ion", "shortDescription": "Production image signer", "longDescription": "Production image signer", "kind": "ATTESTATION_AUTHORITY" , "attestationAuthority": { "hint": { "humanReadableName": "production" } } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority
  • 44. Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority - Deployment - Build history - And more!
  • 45. Grafeas metadata store ● Notes ● Occurrences - Instantiation of a note { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } }
  • 46. Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
  • 47. Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
  • 48. Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found
  • 49. Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found - Remediation
  • 50. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API
  • 51. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
  • 52. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB Who pushes security data to Grafeas?
  • 53. Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
  • 56. Roadmap ● Grafeas ○ New metadata kinds contributed by the community
  • 57. Roadmap ● Grafeas ○ New metadata kinds contributed by the community License Test StaticAnalysis InTotoLinkAttestation
  • 58. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0
  • 59. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership
  • 60. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language
  • 61. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language ■ Maintenance of the reference server v1.0
  • 62. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis
  • 63. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis
  • 64. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis
  • 65. Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis ○ More expressive policies based on stored metadata
  • 66. References ● Deploy standalone Kritis + Grafeas in GKE ● Grafeas: github.com/grafeas/grafeas ● Kritis github repo: github.com/grafeas/kritis ● Mailing lists @googlegroups.com: ○ grafeas-users ○ grafeas-dev ○ kritis-users ● @Grafeasio