Software Supply Chain is a collective term used to describe the continuous integration and delivery pipelines. In addition, it refers to the observability tools that track what happens to a piece of code from the moment it’s in the source code to when it gets deployed, and everywhere in between. Grafeas is an open-source artifact metadata API to audit and govern your software supply chain. It's built as an industry standard for storing and retrieving metadata about software resources. Kritis is an open-source solution for securing your software supply chain for Kubernetes applications. It enforces deploy-time security policies using Grafeas.
This talk will discuss the goals for each of the two open source projects, dive into the examples of how they can be used to secure your company's software supply chain, and conclude with the details of current and future development.
17. Software Supply
Chain Management
what happens to
code from source to
deployment?
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
18. Software Supply
Chain Management
what happens to
code from source to
deployment?
CI/CD pipelines,
observability tools
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
69. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
7. admitted
70. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted
71. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted
72. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted
73. Kritis Terminology
● Grafeas metadata API
○ Retrieve vulnerability data for images
○ Store and retrieve attestations
74. Kritis Terminology
● Grafeas metadata API
○ Retrieve vulnerability data for images
○ Store and retrieve attestations
● Custom Resource Definitions (CRDs)
○ Extension of k8s API
○ Used to store enforcement policies as k8s objects
75. Kritis Terminology
● Grafeas metadata API
○ Retrieve vulnerability data for images
○ Store and retrieve attestations
● Custom Resource Definitions (CRDs)
○ Extension of k8s API
○ Used to store enforcement policies as k8s objects
● Validating Admission Webhook
○ HTTP callbacks receive admission request: accept/reject
to enforce custom admission policies
79. Kritis
Open source, built with the community
Plugs into the k8s admission controller
Ensure vulnerability scanning before deployment
Attest images and verify before deployment
Apply consistent deploy policy across k8s
environmentsgithub.com/grafeas/kritis
kritis-users@googlegroups.com
87. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
88. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image
89. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image
● Providers and Consumers
90. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image
● Providers and Consumers
93. Grafeas: Providers and Consumers
Vulnerability
Scanning
Store
vulnerability
Notes (CVEs)
Grafeas
94. Grafeas: Providers and Consumers
Vulnerability
Scanning
Store
vulnerability
Ocurrences for
containers
Store
vulnerability
Notes (CVEs)
Grafeas
95. Grafeas: Providers and Consumers
Vulnerability
Scanning
Store
vulnerability
Ocurrences for
containers
Store
vulnerability
Notes (CVEs)
Kritis
Grafeas
96. Grafeas: Providers and Consumers
Vulnerability
Scanning
Store
vulnerability
Ocurrences for
containers
Store
vulnerability
Notes (CVEs)
Kritis
Read vulnerability
Occurrences for
container
Grafeas
100. Grafeas: Deployment Note
// An artifact that can be deployed in some runtime.
message DeploymentNote {
// Required. Resource URI for the artifact being deployed.
repeated string resource_uri = 1;
}
101. Grafeas: Deployment Occurrence
// The period during which some deployable was active in a runtime.
message DeploymentOccurrence {
// Identity of the user that triggered this deployment.
string user_email = 1;
// Required. Beginning of the lifetime of this deployment.
google.protobuf.Timestamp deploy_time = 2;
// Output only. Resource URI for the artifact being deployed taken
from the deployable field with the same name.
repeated string resource_uri = 6;
...}
103. Grafeas
Open artifact metadata standard with
contributions from the industry
Audit and govern your software supply chain
Knowledge base for on-premises and cloud
clusters
API with pluggable storage backendsgithub.com/grafeas/grafeas
grafeas-users@googlegroups.com
grafeas-dev@googlegroups.com
@Grafeasio
110. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
Features
0.1.0
111. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
● Kritis:
○ GenericAttestationPolicy
○ Default admittance fallback policy is well-defined
○ Configurable
Features
0.1.0
112. Learn more and follow along!
github.com/grafeas/{grafeas,kritis}
Google Groups: {grafeas,kritis}-users, grafeas-dev
@grafeasio
Obrigada!
0.1.0