Aysylu Greenberg, profile picture
Uploaded byAysylu Greenberg
PDF, PPTX1,948 views

Binary Authorization in Kubernetes

The document discusses the importance of binary authorization in Kubernetes to enhance security by ensuring that only trusted images are deployed in a cluster. It introduces the Kritis tool as an admission controller for policy enforcement, limiting image deployment based on security criteria and vulnerability assessments. Additionally, it covers the Grafeas metadata store for managing vulnerabilities and attestation authorities, along with examples of image security policies.

Download as PDF, PPTX
Aysylu Greenberg, Google Liron Levin, Palo Alto Networks Binary Authorization in Kubernetes
Who are we Aysylu Greenberg Sr Software Engineer @ Google Eng Lead of open-source Grafeas and Kritis @aysylu22 Liron Levin Chief software architect @ Prisma Cloud Compute Grafeas and Kritis contributor
Today ● Why we need binary authorization
Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster
Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies
Today ● Why we need binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies ● Have fun and see cool demos
Software supply chain Code
Software supply chain Build & Test (CI/CD) Code
Software supply chain Build & Test (CI/CD) Code Deploy
Software supply chain - reality
Software supply chain - reality ● Which images are deployed right now?
Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests
Software supply chain - reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests ● Does vulnerability CVE-2017-5638 (Equifax, apache struts RCE) impact production images?
Software supply chain Build & Test (CI/CD) Code Deploy
Software supply chain Build & Test (CI/CD) Code DeployAuthorize
Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Binary authorization - use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) ● Continuously monitor our inventory https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Open source
Open source
Open source
Pod lifecycle Kubernentes API
Pod lifecycle Kubernentes API Create a pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Kritis Create a pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Kritis Create a pod Validate pod Admission webhooks receive admission requests and do something with them.
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Create a pod Validate pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
Pod lifecycle ● Kritis - Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Kritis policy is a CRD.
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 The Custom Resource Definition. Supported values: ImageSecurityPolicy GenericAttestationPolicy
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow deploying images signed by ‘kritis-authority’ to allow previously admitted images be re-admitted on pod restart
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow specific external/infrastructure images
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Constraint on vulnerability: vuln severity <= policy severity
Example policy apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Carefully whitelist specific vulnerabilities
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Uniform way to audit your software supply chain
Grafeas metadata store ● Notes - High level piece of metadata { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } }
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
Grafeas metadata store { "name": "projects/image-signing/notes/product ion", "shortDescription": "Production image signer", "longDescription": "Production image signer", "kind": "ATTESTATION_AUTHORITY" , "attestationAuthority": { "hint": { "humanReadableName": "production" } } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority
Grafeas metadata store { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority - Deployment - Build history - And more!
Grafeas metadata store ● Notes ● Occurrences - Instantiation of a note { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } }
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found
Grafeas metadata store { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found - Remediation
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB Who pushes security data to Grafeas?
Pod lifecycle Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
Demo https://github.com/grafeas/kritis/tree/master/docs/st andalone
Roadmap ● Grafeas
Roadmap ● Grafeas ○ New metadata kinds contributed by the community
Roadmap ● Grafeas ○ New metadata kinds contributed by the community License Test StaticAnalysis InTotoLinkAttestation
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language ■ Maintenance of the reference server v1.0
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis
Roadmap ● Grafeas ○ New metadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis ○ More expressive policies based on stored metadata
References ● Deploy standalone Kritis + Grafeas in GKE ● Grafeas: github.com/grafeas/grafeas ● Kritis github repo: github.com/grafeas/kritis ● Mailing lists @googlegroups.com: ○ grafeas-users ○ grafeas-dev ○ kritis-users ● @Grafeasio

More Related Content

PDF
Introduction to GCP
byKnoldus Inc.
 
PPTX
Introduction to GCP (Google Cloud Platform)
byPulkit Gupta
 
PDF
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
byEdureka!
 
PDF
Monitoring Workshop Kiel 2016 - Performancedaten Visualisierung mit Grafana /...
byPhilip Griesbacher
 
PPTX
Building CI/CD Pipelines with Jenkins and Kubernetes
byJanakiram MSV
 
PPTX
Splunk Overview
bySplunk
 
PPTX
Building an Authorization Solution for Microservices Using Neo4j and OPA
byNeo4j
 
PPTX
Monitoring, Logging and Tracing on Kubernetes
byMartin Etmajer
 
Introduction to GCP
byKnoldus Inc.
 
Introduction to GCP (Google Cloud Platform)
byPulkit Gupta
 
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
byEdureka!
 
Monitoring Workshop Kiel 2016 - Performancedaten Visualisierung mit Grafana /...
byPhilip Griesbacher
 
Building CI/CD Pipelines with Jenkins and Kubernetes
byJanakiram MSV
 
Splunk Overview
bySplunk
 
Building an Authorization Solution for Microservices Using Neo4j and OPA
byNeo4j
 
Monitoring, Logging and Tracing on Kubernetes
byMartin Etmajer
 

What's hot

PPTX
Google cloud functions
byPéter Nagy
 
PDF
Introduction to Google Cloud Platform
bySujai Prakasam
 
PDF
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
PPTX
Cloud computing by Google Cloud Platform - Presentation
byTinarivosoaAbaniaina
 
PDF
카프카 기반의 대규모 모니터링 플랫폼 개발이야기
byif kakao
 
PPTX
The Top 5 Apache Kafka Use Cases and Architectures in 2022
byKai Wähner
 
PDF
GCP CloudRun Overview
byOliver Fierro
 
PDF
Google cloud platform introduction
bySimon Su
 
PPTX
Splunk Overview
bySplunk
 
PPTX
Splunk for IT Operations
bySplunk
 
PDF
Kubernetes extensibility: crd & operators
byGiacomo Tirabassi
 
PDF
OpenShift 4, the smarter Kubernetes platform
byKangaroot
 
PPTX
MySQL Monitoring using Prometheus & Grafana
byYoungHeon (Roy) Kim
 
PPTX
Google Cloud and Data Pipeline Patterns
byLynn Langit
 
PDF
AWS와 함께 하는 클라우드 컴퓨팅 - 홍민우 AWS 매니저
byAmazon Web Services Korea
 
PDF
Customer Experience at Disney+ Through Data Perspective
byDatabricks
 
PDF
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
bySlideTeam
 
PDF
Oracle Cloud Infrastructure – Storage
byMarketingArrowECS_CZ
 
PDF
Serverless with Google Cloud
byBret McGowen - NYC Google Developer Advocate
 
PDF
Netflix Global Cloud Architecture
byAdrian Cockcroft
 
Google cloud functions
byPéter Nagy
 
Introduction to Google Cloud Platform
bySujai Prakasam
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
byEdureka!
 
Cloud computing by Google Cloud Platform - Presentation
byTinarivosoaAbaniaina
 
카프카 기반의 대규모 모니터링 플랫폼 개발이야기
byif kakao
 
The Top 5 Apache Kafka Use Cases and Architectures in 2022
byKai Wähner
 
GCP CloudRun Overview
byOliver Fierro
 
Google cloud platform introduction
bySimon Su
 
Splunk Overview
bySplunk
 
Splunk for IT Operations
bySplunk
 
Kubernetes extensibility: crd & operators
byGiacomo Tirabassi
 
OpenShift 4, the smarter Kubernetes platform
byKangaroot
 
MySQL Monitoring using Prometheus & Grafana
byYoungHeon (Roy) Kim
 
Google Cloud and Data Pipeline Patterns
byLynn Langit
 
AWS와 함께 하는 클라우드 컴퓨팅 - 홍민우 AWS 매니저
byAmazon Web Services Korea
 
Customer Experience at Disney+ Through Data Perspective
byDatabricks
 
An Architectural Deep Dive With Kubernetes And Containers Powerpoint Presenta...
bySlideTeam
 
Oracle Cloud Infrastructure – Storage
byMarketingArrowECS_CZ
 
Serverless with Google Cloud
byBret McGowen - NYC Google Developer Advocate
 
Netflix Global Cloud Architecture
byAdrian Cockcroft
 

Similar to Binary Authorization in Kubernetes

PDF
Software Supply Chain Management with Grafeas and Kritis
byAysylu Greenberg
 
PPTX
Securing microservices continuous delivery using grafeas and kritis
byVishal Banthia
 
PDF
CRA_ Secure Your Future before CRA Hits.pdf
byMario Fahlandt
 
PPTX
Code Security with GitHub Advanced Security
byLuis Fraile
 
PDF
Software Supply Chain Observability with Grafeas and Kritis
byAysylu Greenberg
 
PPTX
Clair, A Container Image Security Analyzer
byCoreOS
 
PDF
Introduction to the European Union Cyber Resilience Act (CRA)
byShane Coughlan
 
PDF
ISACA SV Chapter: Securing Software Supply Chains
byJim Bugwadia
 
PDF
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
byWeaveworks
 
PDF
Software Supply Chain Management with Grafeas and Kritis
byAysylu Greenberg
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
PDF
A Developer’s Guide to Kubernetes Security
byGene Gotimer
 
PPTX
CodeOne SF 2018 "Are you deploying and operating with security in mind?"
byDaniel Bryant
 
PDF
Software Supply Chains for DevOps @ InfoQ Live 2021
byAysylu Greenberg
 
PDF
Protecting your organization against attacks via the build system
byLouis Jacomet
 
PDF
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
PDF
Security Patterns for Microservice Architectures - Oktane20
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
byMatt Raible
 
PPTX
Template_for_Presentation_PhD Visveswarya Scheme (1).pptx
bysinglesrihari
 
PPTX
OpenStack Security Project
byTravis McPeak
 
Software Supply Chain Management with Grafeas and Kritis
byAysylu Greenberg
 
Securing microservices continuous delivery using grafeas and kritis
byVishal Banthia
 
CRA_ Secure Your Future before CRA Hits.pdf
byMario Fahlandt
 
Code Security with GitHub Advanced Security
byLuis Fraile
 
Software Supply Chain Observability with Grafeas and Kritis
byAysylu Greenberg
 
Clair, A Container Image Security Analyzer
byCoreOS
 
Introduction to the European Union Cyber Resilience Act (CRA)
byShane Coughlan
 
ISACA SV Chapter: Securing Software Supply Chains
byJim Bugwadia
 
Hardening Your CI/CD Pipelines with GitOps and Continuous Security
byWeaveworks
 
Software Supply Chain Management with Grafeas and Kritis
byAysylu Greenberg
 
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
A Developer’s Guide to Kubernetes Security
byGene Gotimer
 
CodeOne SF 2018 "Are you deploying and operating with security in mind?"
byDaniel Bryant
 
Software Supply Chains for DevOps @ InfoQ Live 2021
byAysylu Greenberg
 
Protecting your organization against attacks via the build system
byLouis Jacomet
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
byDenim Group
 
Security Patterns for Microservice Architectures - Oktane20
byMatt Raible
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
byMatt Raible
 
Template_for_Presentation_PhD Visveswarya Scheme (1).pptx
bysinglesrihari
 
OpenStack Security Project
byTravis McPeak
 

More from Aysylu Greenberg

PDF
Zero Downtime Migrations at Scale
byAysylu Greenberg
 
PDF
Zero Downtime Migration
byAysylu Greenberg
 
PPTX
PWL Denver: Copysets
byAysylu Greenberg
 
PDF
Distributed systems in practice, in theory (ScaleConf Colombia)
byAysylu Greenberg
 
PDF
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
byAysylu Greenberg
 
PDF
Distributed systems in practice, in theory (JAX London)
byAysylu Greenberg
 
PPTX
Building A Distributed Build System at Google Scale (StrangeLoop 2016)
byAysylu Greenberg
 
PDF
QCon NYC: Distributed systems in practice, in theory
byAysylu Greenberg
 
PDF
Building a Distributed Build System at Google Scale
byAysylu Greenberg
 
PDF
(+ Loom (years 2))
byAysylu Greenberg
 
PDF
Distributed systems in practice, in theory
byAysylu Greenberg
 
PDF
Probabilistic Accuracy Bounds @ Papers We Love SF
byAysylu Greenberg
 
PDF
Benchmarking (JAXLondon 2015)
byAysylu Greenberg
 
PPTX
Loom & Functional Graphs in Clojure @ LambdaConf 2015
byAysylu Greenberg
 
PDF
Benchmarking (DevNexus 2015)
byAysylu Greenberg
 
PDF
Benchmarking (RICON 2014)
byAysylu Greenberg
 
PDF
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
byAysylu Greenberg
 
PDF
PWL: One VM to Rule Them All
byAysylu Greenberg
 
PDF
Loom at Clojure/West
byAysylu Greenberg
 
PDF
Clojure class
byAysylu Greenberg
 
Zero Downtime Migrations at Scale
byAysylu Greenberg
 
Zero Downtime Migration
byAysylu Greenberg
 
PWL Denver: Copysets
byAysylu Greenberg
 
Distributed systems in practice, in theory (ScaleConf Colombia)
byAysylu Greenberg
 
MesosCon Asia Keynote: Replacing a Jet Engine Mid-flight
byAysylu Greenberg
 
Distributed systems in practice, in theory (JAX London)
byAysylu Greenberg
 
Building A Distributed Build System at Google Scale (StrangeLoop 2016)
byAysylu Greenberg
 
QCon NYC: Distributed systems in practice, in theory
byAysylu Greenberg
 
Building a Distributed Build System at Google Scale
byAysylu Greenberg
 
(+ Loom (years 2))
byAysylu Greenberg
 
Distributed systems in practice, in theory
byAysylu Greenberg
 
Probabilistic Accuracy Bounds @ Papers We Love SF
byAysylu Greenberg
 
Benchmarking (JAXLondon 2015)
byAysylu Greenberg
 
Loom & Functional Graphs in Clojure @ LambdaConf 2015
byAysylu Greenberg
 
Benchmarking (DevNexus 2015)
byAysylu Greenberg
 
Benchmarking (RICON 2014)
byAysylu Greenberg
 
Benchmarking: You're Doing It Wrong (StrangeLoop 2014)
byAysylu Greenberg
 
PWL: One VM to Rule Them All
byAysylu Greenberg
 
Loom at Clojure/West
byAysylu Greenberg
 
Clojure class
byAysylu Greenberg
 

Recently uploaded

PDF
Google Developer Groups on Campus CSUEB: Intro to Google Agent Development Kit
byugoti
 
PDF
Custom eCommerce App Development for Modern Retail Stores.pdf
byInexture Solutions
 
PDF
PyData Paris keynote: Big ideas shaping scientific Python: the quest for perf...
byRalf Gommers
 
PDF
Guidewire Connections 2025 PT 6 Unleash the Power of Agentic AI with Guidewire
byBrian Petrini
 
PPTX
Streamline Safety with Advanced Chemical Inventory Management System
byEHA Soft Solutions
 
PDF
White-Label Development vs In-House Tech Teams: Key Differences
byShiv Technolabs Pvt. Ltd.
 
PDF
AI-Powered Alert Analysis with ClickHouse Cloud Databases.pdf
byAlkin Tezuysal
 
PDF
Working with Machine Learning in Production
byFrederick Apina
 
PPTX
Hall-Pass-Management-Software-Transforming-School-Safety-and-Efficiency.pptx
byinfoswipesolutionsin
 
PPTX
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
PPTX
Classify and visualize Jira work to stay focused and foster innovation - Work...
byWork Type Focus
 
PPTX
Advanced Risk Assessment Module for Enhanced Workplace Safety
byEHA Soft Solutions
 
PDF
Enterprise Data Sync via Navision Integration Service Provider
byNavision India
 
PDF
Comprehensive Guide to Performance Testing Tools and Services
byKanika Vatsyayan
 
PPTX
1stCollege Management System (1) .pptx
bygehlotyash2005
 
PDF
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
PPTX
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 
PPTX
Streamline Compliance and Safety with Advanced Contractor Management Software
bySHEQ Network Limited
 
PDF
The Future of School Management in Kenya_ Why Automation Is the Next Big Leap
byChandru
 
PPTX
Digital Twins for RolandRust U Maryland 20251030 v14.pptx
byhome
 
Google Developer Groups on Campus CSUEB: Intro to Google Agent Development Kit
byugoti
 
Custom eCommerce App Development for Modern Retail Stores.pdf
byInexture Solutions
 
PyData Paris keynote: Big ideas shaping scientific Python: the quest for perf...
byRalf Gommers
 
Guidewire Connections 2025 PT 6 Unleash the Power of Agentic AI with Guidewire
byBrian Petrini
 
Streamline Safety with Advanced Chemical Inventory Management System
byEHA Soft Solutions
 
White-Label Development vs In-House Tech Teams: Key Differences
byShiv Technolabs Pvt. Ltd.
 
AI-Powered Alert Analysis with ClickHouse Cloud Databases.pdf
byAlkin Tezuysal
 
Working with Machine Learning in Production
byFrederick Apina
 
Hall-Pass-Management-Software-Transforming-School-Safety-and-Efficiency.pptx
byinfoswipesolutionsin
 
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
Classify and visualize Jira work to stay focused and foster innovation - Work...
byWork Type Focus
 
Advanced Risk Assessment Module for Enhanced Workplace Safety
byEHA Soft Solutions
 
Enterprise Data Sync via Navision Integration Service Provider
byNavision India
 
Comprehensive Guide to Performance Testing Tools and Services
byKanika Vatsyayan
 
1stCollege Management System (1) .pptx
bygehlotyash2005
 
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 
Streamline Compliance and Safety with Advanced Contractor Management Software
bySHEQ Network Limited
 
The Future of School Management in Kenya_ Why Automation Is the Next Big Leap
byChandru
 
Digital Twins for RolandRust U Maryland 20251030 v14.pptx
byhome
 
In this document
Powered by AI

Presentation by Aysylu Greenberg (Google) and Liron Levin (Palo Alto Networks) introducing Binary Authorization in Kubernetes.

Discussion on the necessity of binary authorization, its role in enhancing security, exploring open-source technologies, and engaging demos.

Illustration of the software supply chain including Code, Build & Test (CI/CD), and Deployment stages.

Examination of current deployed images, QA test completions, and notable vulnerabilities impacting these images.

Details on binary authorization requirements, including image signing by trusted authorities and vulnerability assessments.

Introduction to open-source initiatives relevant to software supply chain security and policies.

Explanation of pod lifecycle in Kubernetes with Kritis as an admission controller for policy enforcement.

Detailed example of ImageSecurityPolicy in Kritis, including parameters like attestation authority and vulnerability requirements.

Discussion on Grafeas' role in auditing software supply chains, handling vulnerability and attestation metadata.

Illustration of occurrences in Grafeas related to vulnerabilities, including affected packages and remediation.

Role of Grafeas in validating metadata during the pod lifecycle and the security data flow.

Plans for enhancing Grafeas with community contributions and developing Kritis for better security and interoperability.

Binary Authorization in Kubernetes

  • 2.
    Aysylu Greenberg, Google LironLevin, Palo Alto Networks Binary Authorization in Kubernetes
  • 3.
    Who are we AysyluGreenberg Sr Software Engineer @ Google Eng Lead of open-source Grafeas and Kritis @aysylu22 Liron Levin Chief software architect @ Prisma Cloud Compute Grafeas and Kritis contributor
  • 4.
    Today ● Why weneed binary authorization
  • 5.
    Today ● Why weneed binary authorization ● Improve the security posture of your k8s cluster
  • 6.
    Today ● Why weneed binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies
  • 7.
    Today ● Why weneed binary authorization ● Improve the security posture of your k8s cluster ● Learn about exciting open source security technologies ● Have fun and see cool demos
  • 8.
  • 9.
    Software supply chain Build& Test (CI/CD) Code
  • 10.
    Software supply chain Build& Test (CI/CD) Code Deploy
  • 11.
  • 12.
    Software supply chain- reality ● Which images are deployed right now?
  • 13.
    Software supply chain- reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests
  • 14.
    Software supply chain- reality ● Which images are deployed right now? ● Did all deployed images pass required QA tests ● Does vulnerability CVE-2017-5638 (Equifax, apache struts RCE) impact production images?
  • 15.
    Software supply chain Build& Test (CI/CD) Code Deploy
  • 16.
    Software supply chain Build& Test (CI/CD) Code DeployAuthorize
  • 17.
    Binary authorization -use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
  • 18.
    Binary authorization -use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
  • 19.
    Binary authorization -use cases ● Require images to be signed by trusted authorities: ○ QA ○ DevOps ○ Security tools ● Require images to pass some restrictive security criteria (e.g., no critical severity unpatched vulnerabilities) ● Continuously monitor our inventory https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
    Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Kritis Create a pod
  • 26.
    Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Validation webhook Kritis Create a pod Validate pod Admission webhooks receive admission requests and do something with them.
  • 27.
    Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Create a pod Validate pod
  • 28.
    Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod
  • 29.
    Pod lifecycle ● Kritis- Admission controller for policy enforcement Kubernentes API Validation webhook Image security validator Kritis Fetch policy (CRD) Create a pod Validate pod Kritis policy is a CRD.
  • 30.
    Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081
  • 31.
    Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 The Custom Resource Definition. Supported values: ImageSecurityPolicy GenericAttestationPolicy
  • 32.
    Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow deploying images signed by ‘kritis-authority’ to allow previously admitted images be re-admitted on pod restart
  • 33.
    Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Allow specific external/infrastructure images
  • 34.
    Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Constraint on vulnerability: vuln severity <= policy severity
  • 35.
    Example policy apiVersion: kritis.grafeas.io/v1beta1 kind:ImageSecurityPolicy metadata: name: my-isp namespace: default spec: attestationAuthorityNames: - kritis-authority imageAllowlist: - gcr.io/my/image packageVulnerabilityRequirements: maximumSeverity: HIGH # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL maximumFixUnavailableSeverity: ALLOW_ALL # LOW|MEDIUM|HIGH|CRITICAL|BLOCK_ALL|ALLOW_ALL allowlistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081 Carefully whitelist specific vulnerabilities
  • 36.
    Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod
  • 37.
    Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas
  • 38.
    Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Uniform way to audit your software supply chain
  • 39.
    Grafeas metadata store ●Notes - High level piece of metadata { "name" : "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } }
  • 40.
    Grafeas metadata store { "name": "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description
  • 41.
    Grafeas metadata store { "name": "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
  • 42.
    Grafeas metadata store { "name": "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details
  • 43.
    Grafeas metadata store { "name": "projects/image-signing/notes/product ion", "shortDescription":"Production image signer", "longDescription": "Production image signer", "kind": "ATTESTATION_AUTHORITY" , "attestationAuthority": { "hint": { "humanReadableName": "production" } } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority
  • 44.
    Grafeas metadata store { "name": "projects/provider_example/notes/test" , "shortDescription" : "A brief description of the note" , "longDescription" : "A longer description of the note" , "kind": "VULNERABILITY" , "vulnerability" : { "details": [ { "package": "libexempi3", "cpeUri": "cpe:/o:debian:debian_linux:7" , "minAffectedVersion" : { "name": "2.5.7", "revision": "1", "kind": "NORMAL" }, }] } } ● Notes - High level piece of metadata - Vulnerability: CVE description & details - Attestation: attestation authority - Deployment - Build history - And more!
  • 45.
    Grafeas metadata store ●Notes ● Occurrences - Instantiation of a note { "name": "projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } }
  • 46.
    Grafeas metadata store { "name":"projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
  • 47.
    Grafeas metadata store { "name":"projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note
  • 48.
    Grafeas metadata store { "name":"projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found
  • 49.
    Grafeas metadata store { "name":"projects/occurrence_example/occurrences/test", "resource": { "uri": "https://gcr.io/project/image@sha256:foo", }, "noteName": "projects/provider_example/notes/test", "kind": "VULNERABILITY", "vulnerability": { "packageIssue": [ { "affectedLocation": { "cpeUri": "7", "package": "a", "version": { "name": "v1.1.1", "kind": "NORMAL", "revision": "r" } }, "fixedLocation": { "cpeUri": "cpe:/o:debian:debian_linux:7", "package": "a", "version": { "name": "namestring", "kind": "NORMAL", "revision": "1" } } } ] } } ● Notes ● Occurrences - Instantiation of a note - Package where vulnerability was found - Remediation
  • 50.
    Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API
  • 51.
    Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
  • 52.
    Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB Who pushes security data to Grafeas?
  • 53.
    Pod lifecycle Kubernentes API Validation webhook Imagesecurity validator Kritis Fetch policy (CRD) Create a pod Validate pod Grafeas Image security validator Fetch metadata API DB
  • 54.
  • 55.
  • 56.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community
  • 57.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community License Test StaticAnalysis InTotoLinkAttestation
  • 58.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0
  • 59.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership
  • 60.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language
  • 61.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ■ Designate client owners for each language ■ Maintenance of the reference server v1.0
  • 62.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis
  • 63.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis
  • 64.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis
  • 65.
    Roadmap ● Grafeas ○ Newmetadata kinds contributed by the community ○ Server v1.0 ○ Move towards larger community ownership ● Kritis ○ Production-ready, high-availability Kritis ○ Interoperability between BinAuthz and Kritis ○ More expressive policies based on stored metadata
  • 66.
    References ● Deploy standaloneKritis + Grafeas in GKE ● Grafeas: github.com/grafeas/grafeas ● Kritis github repo: github.com/grafeas/kritis ● Mailing lists @googlegroups.com: ○ grafeas-users ○ grafeas-dev ○ kritis-users ● @Grafeasio