Software Supply Chain is a collective term used to describe the continuous integration and delivery pipelines. In addition, it refers to the observability tools that track what happens to a piece of code from the moment it’s in the source code to when it gets deployed, and everywhere in between. Grafeas is an open-source artifact metadata API to audit and govern your software supply chain. It's built as an industry standard for storing and retrieving metadata about software resources. Kritis is an open-source solution for securing your software supply chain for Kubernetes applications. It enforces deploy-time security policies using Grafeas. This talk will discuss the goals for each of the two open source projects, dive into the examples of how they can be used to secure your company's software supply chain, and conclude with the details of current and future development.

1. Software Supply Chain Management
with Grafeas and Kritis
Aysylu Greenberg May 8 2019
Photo via https://www.goodfreephotos.com/

2. Aysylu
Greenberg

3. Aysylu
Greenberg
- Sr Software Engineer
@Google

4. Aysylu
Greenberg
- Sr Software Engineer
@Google
- Eng Lead of
open-source Grafeas
and Kritis

5. Aysylu
Greenberg
- Sr Software Engineer
@Google
- Eng Lead of
open-source Grafeas
and Kritis
- @aysylu22

6. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

7. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

8. Google runs in
containers
In any given week, we
launch over two billion
containers.

9. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

10. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

11. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

12. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

13. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
CI pipelines

14. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

15. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
CD pipelines

16. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

17. Software Supply
Chain Management
what happens to
code from source to
deployment?
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

18. Software Supply
Chain Management
what happens to
code from source to
deployment?
CI/CD pipelines,
observability tools
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

19. Software Supply Chain with Grafeas & Kritis
Build &
Deploy

20. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy

21. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks

22. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Grafeas backed storage
vulnerabilities, build info, etc.

23. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Kritis
Admission
controller
Grafeas backed storage
vulnerabilities, build info, etc.

24. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Grafeas backed storage
vulnerabilities, build info, etc.

25. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Production
Grafeas backed storage
vulnerabilities, build info, etc.

26. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Grafeas backed storage
vulnerabilities, build info, etc.
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Production

27. Grafeas & Kritis
Binary
Authorization
Container Registry
Vulnerability
Scanning

28. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

29. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

30. Kritis
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
github.com/grafeas/kritis

31. Let's deploy our
e-commerce website...

32. Kritis: Admission Flow
$ kubectl apply site.yaml

33. Kritis: Admission Flow
kubectl
apply
site.yaml

34. Kritis: Admission Flow
k8s
kubectl
apply
site.yaml

35. Kritis: Admission Flow
k8sKritis
kubectl
apply
site.yaml

36. Kritis: Admission Flow
k8sKritis
kubectl
apply
site.yaml
$ helm install <path>/kritis-charts-0.1.0.tgz

37. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
Pod
spec
1. Admission
Request
Kritis

38. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis

39. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis

40. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review

41. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies

42. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD

43. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator

44. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas

45. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas

46. Oh no! Vulnerability scan
isn't finished...

47. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 a)
denied
4 a)
denied

48. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 a)
denied
4 a)
denied
Pod

49. Vulnerability scanning is
finished!
CVE-2019-5514 is found...

50. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln

51. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 a)
denied
Pod
vuln

52. Whitelist CVE-2019-5514
because it doesn't affect
the website...

53. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln

54. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
vuln

55. It's time to scale up your site!
$ kubectl scale deployments/site --replicas=4

56. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
Pod PodPod Pod vuln

57. A new vulnerability is
found during scale up...
CVE-2019-9919

58. vuln
Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
Pod PodPod Pod
CVE-2019-9919

59. Kritis attestations to the
rescue...

60. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
vuln

61. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
vuln

62. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
vuln

63. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation

64. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod

65. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
CVE-2019-9919

66. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
CVE-2019-9919
6. Fetch
attestations
for admitted
image

67. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
CVE-2019-9919
6. Fetch
attestations
for admitted
image
Pod Pod
7. admitted

68. Discovering new
vulnerabilities in admitted
containers ...

69. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
7. admitted

70. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted

71. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted

72. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted

73. Kritis Terminology
● Grafeas metadata API
○ Retrieve vulnerability data for images
○ Store and retrieve attestations

74. Kritis Terminology
● Grafeas metadata API
○ Retrieve vulnerability data for images
○ Store and retrieve attestations
● Custom Resource Definitions (CRDs)
○ Extension of k8s API
○ Used to store enforcement policies as k8s objects

75. Kritis Terminology
● Grafeas metadata API
○ Retrieve vulnerability data for images
○ Store and retrieve attestations
● Custom Resource Definitions (CRDs)
○ Extension of k8s API
○ Used to store enforcement policies as k8s objects
● Validating Admission Webhook
○ HTTP callbacks receive admission request: accept/reject
to enforce custom admission policies

76. GenericAttestationPolicy CRD
apiVersion: kritis.grafeas.io/v1beta1
kind: GenericAttestationPolicy
metadata:
name: my-gap
spec:
attestationAuthorities:
- my-attestor
- deploy-attestor

77. AttestationAuthority CRD
apiVersion: kritis.grafeas.io/v1beta1
kind: AttestationAuthority
metadata:
name: my-attestor
spec:
privateKeySecretName: my-kubernetes-secret
publicData: “-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFvJLhwBCADCiNJAJkFUwYrH=vmny
...
-----END PGP PUBLIC KEY BLOCK-----”
noteReference: v1beta1/projects/my-project

78. ImageSecurityPolicy CRD
apiVersion: kritis.grafeas.io/v1beta1
kind: ImageSecurityPolicy
metadata:
name: my-isp
spec:
imageWhitelist:
- gcr.io/kritis-int-test/nginx-digest-whitelist:latest
packageVulnerabilityRequirements:
maximumSeverity: MEDIUM
whitelistCVEs:
- providers/goog-vulnz/notes/CVE-2017-1000082
- providers/goog-vulnz/notes/CVE-2017-1000081

79. Kritis
Open source, built with the community
Plugs into the k8s admission controller
Ensure vulnerability scanning before deployment
Attest images and verify before deployment
Apply consistent deploy policy across k8s
environmentsgithub.com/grafeas/kritis
kritis-users@googlegroups.com

80. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

81. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

82. Grafeas
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
github.com/grafeas/grafeas

83. Grafeas:
Artifact Metadata API

84. Grafeas:
Artifact Metadata API
= images, binaries, packages...

85. Grafeas:
Artifact Metadata API
= build, deployment, vulnerability, ...

86. Grafeas:
Artifact Metadata API
= store & retrieve metadata about artifacts

87. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note

88. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image

89. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image
● Providers and Consumers

90. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image
● Providers and Consumers

91. Grafeas: Providers and Consumers
Grafeas

92. Grafeas: Providers and Consumers
Vulnerability
Scanning
Grafeas

93. Grafeas: Providers and Consumers
Vulnerability
Scanning
Store
vulnerability
Notes (CVEs)
Grafeas

94. Grafeas: Providers and Consumers
Vulnerability
Scanning
Store
vulnerability
Ocurrences for
containers
Store
vulnerability
Notes (CVEs)
Grafeas

95. Grafeas: Providers and Consumers
Vulnerability
Scanning
Store
vulnerability
Ocurrences for
containers
Store
vulnerability
Notes (CVEs)
Kritis
Grafeas

96. Grafeas: Providers and Consumers
Vulnerability
Scanning
Store
vulnerability
Ocurrences for
containers
Store
vulnerability
Notes (CVEs)
Kritis
Read vulnerability
Occurrences for
container
Grafeas

97. Grafeas: Terminology (cont'd)
● Resource URL: identifier for artifact in Occurrence

98. Grafeas: Terminology (cont'd)
● Resource URL: identifier for artifact in Occurrence

99. Grafeas: Terminology (cont'd)
● Resource URL: identifier for artifact in Occurrence
● Kind specific schemas

100. Grafeas: Deployment Note
// An artifact that can be deployed in some runtime.
message DeploymentNote {
// Required. Resource URI for the artifact being deployed.
repeated string resource_uri = 1;
}

101. Grafeas: Deployment Occurrence
// The period during which some deployable was active in a runtime.
message DeploymentOccurrence {
// Identity of the user that triggered this deployment.
string user_email = 1;
// Required. Beginning of the lifetime of this deployment.
google.protobuf.Timestamp deploy_time = 2;
// Output only. Resource URI for the artifact being deployed taken
from the deployable field with the same name.
repeated string resource_uri = 6;
...}

102. Grafeas: Architecture

103. Grafeas
Open artifact metadata standard with
contributions from the industry
Audit and govern your software supply chain
Knowledge base for on-premises and cloud
clusters
API with pluggable storage backendsgithub.com/grafeas/grafeas
grafeas-users@googlegroups.com
grafeas-dev@googlegroups.com
@Grafeasio

104. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

105. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

106. Coming soon... 0.1.0

107. Goals
Enable users to start experimenting with Kritis and Grafeas
Move towards hybrid-cloud support
Gather community feedback
0.1.0

108. 0.1.0
Scope
Standalone Kritis on Kubernetes with standalone Grafeas

109. 0.1.0
User Journeys
Allow deployment of a container to Kubernetes cluster
Block deployment of a unadmitted container to the cluster

110. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
Features
0.1.0

111. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
● Kritis:
○ GenericAttestationPolicy
○ Default admittance fallback policy is well-defined
○ Configurable
Features
0.1.0

112. Learn more and follow along!
github.com/grafeas/{grafeas,kritis}
Google Groups: {grafeas,kritis}-users, grafeas-dev
@grafeasio
Obrigada!
0.1.0