Sofuware Supply Chain Management with Grafeas and Kritis Aysylu - - PowerPoint PPT Presentation

sofuware supply chain management with grafeas and kritis
SMART_READER_LITE
LIVE PREVIEW

Sofuware Supply Chain Management with Grafeas and Kritis Aysylu - - PowerPoint PPT Presentation

Feb 11, 2023 458 likes •1.6k views

Sofuware Supply Chain Management with Grafeas and Kritis Aysylu Greenberg May 8 2019 Photo via https://www.goodfreephotos.com/ Aysylu Greenberg Aysylu Greenberg - Sr Sofuware Engineer @Google Aysylu Greenberg - Sr Sofuware Engineer

slide-1
SLIDE 1

Sofuware Supply Chain Management with Grafeas and Kritis Aysylu Greenberg May 8 2019

Photo via https://www.goodfreephotos.com/

slide-2
SLIDE 2

Aysylu Greenberg

slide-3
SLIDE 3

Aysylu Greenberg

  • Sr Sofuware Engineer

@Google

slide-4
SLIDE 4

Aysylu Greenberg

  • Sr Sofuware Engineer

@Google

  • Eng Lead of
  • pen-source Grafeas

and Kritis

slide-5
SLIDE 5

Aysylu Greenberg

  • Sr Sofuware Engineer

@Google

  • Eng Lead of
  • pen-source Grafeas

and Kritis

  • @aysylu22
slide-6
SLIDE 6

In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0

1 2 3 4

slide-7
SLIDE 7

In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0

1 2 3 4

slide-8
SLIDE 8

Google runs in containers

In any given week, we launch over two billion containers.

slide-9
SLIDE 9

Sofuware Supply Chain Management

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

slide-10
SLIDE 10

Sofuware Supply Chain Management

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

slide-11
SLIDE 11

Sofuware Supply Chain Management

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

slide-12
SLIDE 12

Sofuware Supply Chain Management

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

slide-13
SLIDE 13

Sofuware Supply Chain Management

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

CI pipelines

slide-14
SLIDE 14

Sofuware Supply Chain Management

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

slide-15
SLIDE 15

Sofuware Supply Chain Management

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

CD pipelines

slide-16
SLIDE 16

Sofuware Supply Chain Management

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

slide-17
SLIDE 17

Sofuware Supply Chain Management what happens to code from source to deployment?

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

slide-18
SLIDE 18

Sofuware Supply Chain Management what happens to code from source to deployment? CI/CD pipelines,

  • bservability tools

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

slide-19
SLIDE 19

Sofuware Supply Chain with Grafeas & Kritis

Build & Deploy

slide-20
SLIDE 20

Sofuware Supply Chain with Grafeas & Kritis

CI/CD pipelines Build & Deploy

slide-21
SLIDE 21

Sofuware Supply Chain with Grafeas & Kritis

CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks

slide-22
SLIDE 22

Sofuware Supply Chain with Grafeas & Kritis

CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base

Grafeas backed storage vulnerabilities, build info, etc.

slide-23
SLIDE 23

Sofuware Supply Chain with Grafeas & Kritis

CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Kritis Admission controller

Grafeas backed storage vulnerabilities, build info, etc.

slide-24
SLIDE 24

Sofuware Supply Chain with Grafeas & Kritis

CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Kritis Admission controller Deploy time policy chokepoint

Enforce policies for severity of vulnerabilities, image location, etc. Grafeas backed storage vulnerabilities, build info, etc.

slide-25
SLIDE 25

Sofuware Supply Chain with Grafeas & Kritis

CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks Centralized metadata knowledge base Kritis Admission controller Deploy time policy chokepoint

Enforce policies for severity of vulnerabilities, image location, etc.

Production

Grafeas backed storage vulnerabilities, build info, etc.

slide-26
SLIDE 26

Sofuware Supply Chain with Grafeas & Kritis

CI/CD pipelines Build & Deploy Secure build process Automated test, scan, analysis Deploy checks

Grafeas backed storage vulnerabilities, build info, etc.

Centralized metadata knowledge base Kritis Admission controller Deploy time policy chokepoint

Enforce policies for severity of vulnerabilities, image location, etc.

Production

slide-27
SLIDE 27

Grafeas & Kritis

Binary Authorization Container Registry Vulnerability Scanning

slide-28
SLIDE 28

In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0

1 2 3 4

slide-29
SLIDE 29

In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0

1 2 3 4

slide-30
SLIDE 30

Kritis

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

github.com/grafeas/kritis

slide-31
SLIDE 31

Let's deploy our e-commerce website...

slide-32
SLIDE 32

Kritis: Admission Flow

$ kubectl apply site.yaml

slide-33
SLIDE 33

Kritis: Admission Flow

kubectl apply site.yaml

slide-34
SLIDE 34

Kritis: Admission Flow

k8s kubectl apply site.yaml

slide-35
SLIDE 35

Kritis: Admission Flow

k8s Kritis kubectl apply site.yaml

slide-36
SLIDE 36

Kritis: Admission Flow

k8s Kritis kubectl apply site.yaml $ helm install <path>/kritis-charts-0.1.0.tgz

slide-37
SLIDE 37

Kritis: Admission Flow

kubectl apply site.yaml k8s

Pod spec

  • 1. Admission

Request

Kritis

slide-38
SLIDE 38

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

slide-39
SLIDE 39

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

slide-40
SLIDE 40

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review
slide-41
SLIDE 41

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

slide-42
SLIDE 42

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD

slide-43
SLIDE 43

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

slide-44
SLIDE 44

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas

slide-45
SLIDE 45

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas

slide-46
SLIDE 46

Oh no! Vulnerability scan isn't fjnished...

slide-47
SLIDE 47

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas 4 a) denied 4 a) denied

slide-48
SLIDE 48

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas 4 a) denied 4 a) denied Pod

slide-49
SLIDE 49

Vulnerability scanning is fjnished! CVE-2019-5514 is found...

slide-50
SLIDE 50

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln

slide-51
SLIDE 51

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas 4 a) denied Pod vuln

slide-52
SLIDE 52

Whitelist CVE-2019-5514 because it doesn't afgect the website...

slide-53
SLIDE 53

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln

slide-54
SLIDE 54

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas 4 b) admitted 4 b) admitted Pod vuln

slide-55
SLIDE 55

It's time to scale up your site!

$ kubectl scale deployments/site --replicas=4

slide-56
SLIDE 56

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas Pod Pod Pod Pod vuln

slide-57
SLIDE 57

A new vulnerability is found during scale up... CVE-2019-9919

slide-58
SLIDE 58

vuln

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas Pod Pod Pod Pod

CVE-2019-9919

slide-59
SLIDE 59

Kritis atuestations to the rescue...

slide-60
SLIDE 60

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas 4 b) admitted 4 b) admitted Pod vuln

slide-61
SLIDE 61

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

vuln

slide-62
SLIDE 62

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images vuln

slide-63
SLIDE 63

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images attestation

slide-64
SLIDE 64

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images attestation Pod

slide-65
SLIDE 65

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images attestation Pod

CVE-2019-9919

slide-66
SLIDE 66

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images attestation Pod

CVE-2019-9919

  • 6. Fetch

attestations for admitted image

slide-67
SLIDE 67

Kritis: Admission Flow

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images attestation Pod

CVE-2019-9919

  • 6. Fetch

attestations for admitted image Pod Pod

  • 7. admitted
slide-68
SLIDE 68

Discovering new vulnerabilities in admitued containers ...

slide-69
SLIDE 69

Kritis: Background Cron

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images attestation Pod

  • 6. Fetch

attestations for admitted image Pod Pod

  • 7. admitted
slide-70
SLIDE 70

Kritis: Background Cron

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images attestation Pod

  • 6. Fetch

attestations for admitted image Pod Pod Background Cron

  • 7. admitted
slide-71
SLIDE 71

Kritis: Background Cron

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images attestation Pod

  • 6. Fetch

attestations for admitted image Pod Pod Background Cron

  • 7. admitted
slide-72
SLIDE 72

Kritis: Background Cron

kubectl apply site.yaml k8s WebHook

Pod spec

  • 1. Admission

Request

Kritis

  • 2. review

Policies

ns:prod

Image Security Policy CRD

ns:qa

Image Security Policy CRD

ns:prod

Image Security Policy CRD Image Security Validator

  • 3. Fetch

metadata Grafeas vuln 4 b) admitted 4 b) admitted Pod Attestor

Attestation Authority CRD

  • 5. Store attestations for

admitted images attestation Pod

  • 6. Fetch

attestations for admitted image Pod Pod Background Cron

  • 7. admitted
slide-73
SLIDE 73

Kritis Terminology

  • Grafeas metadata API

○ Retrieve vulnerability data for images ○ Store and retrieve attestations

slide-74
SLIDE 74

Kritis Terminology

  • Grafeas metadata API

○ Retrieve vulnerability data for images ○ Store and retrieve attestations

  • Custom Resource Definitions (CRDs)

○ Extension of k8s API ○ Used to store enforcement policies as k8s objects

slide-75
SLIDE 75

Kritis Terminology

  • Grafeas metadata API

○ Retrieve vulnerability data for images ○ Store and retrieve attestations

  • Custom Resource Definitions (CRDs)

○ Extension of k8s API ○ Used to store enforcement policies as k8s objects

  • Validating Admission Webhook

○ HTTP callbacks receive admission request: accept/reject to enforce custom admission policies

slide-76
SLIDE 76

GenericAtuestationPolicy CRD

apiVersion: kritis.grafeas.io/v1beta1 kind: GenericAttestationPolicy metadata: name: my-gap spec: attestationAuthorities:

  • my-attestor
  • deploy-attestor
slide-77
SLIDE 77

AtuestationAuthority CRD

apiVersion: kritis.grafeas.io/v1beta1 kind: AttestationAuthority metadata: name: my-attestor spec: privateKeySecretName: my-kubernetes-secret publicData: “-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFvJLhwBCADCiNJAJkFUwYrH=vmny ...

  • ----END PGP PUBLIC KEY BLOCK-----”

noteReference: v1beta1/projects/my-project

slide-78
SLIDE 78

ImageSecurityPolicy CRD

apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp spec: imageWhitelist:

  • gcr.io/kritis-int-test/nginx-digest-whitelist:latest

packageVulnerabilityRequirements: maximumSeverity: MEDIUM whitelistCVEs:

  • providers/goog-vulnz/notes/CVE-2017-1000082
  • providers/goog-vulnz/notes/CVE-2017-1000081
slide-79
SLIDE 79

Kritis

Open source, built with the community Plugs into the k8s admission controller Ensure vulnerability scanning before deployment Attest images and verify before deployment Apply consistent deploy policy across k8s environments

github.com/grafeas/kritis

kritis-users@googlegroups.com

slide-80
SLIDE 80

In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0

1 2 3 4

slide-81
SLIDE 81

In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0

1 2 3 4

slide-82
SLIDE 82

Grafeas

Code Checkin Test & Verifjcation Write code Build Image Deploy to Production QA

github.com/grafeas/grafeas

slide-83
SLIDE 83

Grafeas: Aruifact Metadata API

slide-84
SLIDE 84

Grafeas: Aruifact Metadata API = images, binaries, packages...

slide-85
SLIDE 85

Grafeas: Aruifact Metadata API = build, deployment, vulnerability, ...

slide-86
SLIDE 86

Grafeas: Aruifact Metadata API = store & retrieve metadata about artifacts

slide-87
SLIDE 87

Grafeas: Terminology

  • Notes: high-level description of types of metadata

○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note

slide-88
SLIDE 88

Grafeas: Terminology

  • Notes: high-level description of types of metadata

○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note

  • Occurrences: instance of note in an artifact

○ e.g. CVE presence in an image

slide-89
SLIDE 89

Grafeas: Terminology

  • Notes: high-level description of types of metadata

○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note

  • Occurrences: instance of note in an artifact

○ e.g. CVE presence in an image

  • Providers and Consumers
slide-90
SLIDE 90

Grafeas: Terminology

  • Notes: high-level description of types of metadata

○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note

  • Occurrences: instance of note in an artifact

○ e.g. CVE presence in an image

  • Providers and Consumers
slide-91
SLIDE 91

Grafeas: Providers and Consumers

Grafeas

slide-92
SLIDE 92

Grafeas: Providers and Consumers

Vulnerability Scanning Grafeas

slide-93
SLIDE 93

Grafeas: Providers and Consumers

Vulnerability Scanning

Store vulnerability Notes (CVEs)

Grafeas

slide-94
SLIDE 94

Grafeas: Providers and Consumers

Vulnerability Scanning

Store vulnerability Ocurrences for containers Store vulnerability Notes (CVEs)

Grafeas

slide-95
SLIDE 95

Grafeas: Providers and Consumers

Vulnerability Scanning

Store vulnerability Ocurrences for containers Store vulnerability Notes (CVEs)

Kritis Grafeas

slide-96
SLIDE 96

Grafeas: Providers and Consumers

Vulnerability Scanning

Store vulnerability Ocurrences for containers Store vulnerability Notes (CVEs)

Kritis

Read vulnerability Occurrences for container

Grafeas

slide-97
SLIDE 97

Grafeas: Terminology (cont'd)

  • Resource URL: identifier for artifact in Occurrence
slide-98
SLIDE 98

Grafeas: Terminology (cont'd)

  • Resource URL: identifier for artifact in Occurrence
slide-99
SLIDE 99

Grafeas: Terminology (cont'd)

  • Resource URL: identifier for artifact in Occurrence
  • Kind specific schemas
slide-100
SLIDE 100

Grafeas: Deployment Note

// An artifact that can be deployed in some runtime. message DeploymentNote { // Required. Resource URI for the artifact being deployed. repeated string resource_uri = 1; }

slide-101
SLIDE 101

Grafeas: Deployment Occurrence

// The period during which some deployable was active in a runtime. message DeploymentOccurrence { // Identity of the user that triggered this deployment. string user_email = 1; // Required. Beginning of the lifetime of this deployment. google.protobuf.Timestamp deploy_time = 2; // Output only. Resource URI for the artifact being deployed taken from the deployable field with the same name. repeated string resource_uri = 6; ...}

slide-102
SLIDE 102

Grafeas: Architecture

slide-103
SLIDE 103

Grafeas

Open artifact metadata standard with contributions from the industry Audit and govern your software supply chain Knowledge base for on-premises and cloud clusters API with pluggable storage backends

github.com/grafeas/grafeas

grafeas-users@googlegroups.com grafeas-dev@googlegroups.com @Grafeasio

slide-104
SLIDE 104

In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0

1 2 3 4

slide-105
SLIDE 105

In This Talk Software Supply Chain Management Kritis Grafeas Kritis & Grafeas 0.1.0

1 2 3 4

slide-106
SLIDE 106

Coming soon... 0.1.0

slide-107
SLIDE 107

Goals Enable users to staru experimenting with Kritis and Grafeas Move towards hybrid-cloud supporu Gather community feedback

0.1.0

slide-108
SLIDE 108

0.1.0

Scope Standalone Kritis on Kubernetes with standalone Grafeas

slide-109
SLIDE 109

0.1.0

User Journeys Allow deployment of a container to Kubernetes cluster Block deployment of a unadmitued container to the cluster

slide-110
SLIDE 110
  • Grafeas:

○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic support for Go client library

Features

0.1.0

slide-111
SLIDE 111
  • Grafeas:

○ Helm chart for Grafeas & published image ○ Standalone Grafeas server with Postgres storage backend ○ Basic support for Go client library

  • Kritis:

○ GenericAttestationPolicy ○ Default admittance fallback policy is well-defined ○ Configurable

Features

0.1.0

slide-112
SLIDE 112

Learn more and follow along! github.com/grafeas/{grafeas,kritis}

Google Groups: {grafeas,kritis}-users, grafeas-dev @grafeasio

Obrigada!

0.1.0