sofuware supply chain management with grafeas and kritis
play

Sofuware Supply Chain Management with Grafeas and Kritis Aysylu - PowerPoint PPT Presentation

Feb 11, 2023 •458 likes •1.59k views

Sofuware Supply Chain Management with Grafeas and Kritis Aysylu Greenberg May 8 2019 Photo via https://www.goodfreephotos.com/ Aysylu Greenberg Aysylu Greenberg - Sr Sofuware Engineer @Google Aysylu Greenberg - Sr Sofuware Engineer

  1. Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD vuln Pod Pod Pod Pod

  2. A new vulnerability is found during scale up... CVE-2019-9919

  3. Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD CVE-2019-9919 vuln Pod Pod Pod Pod

  4. Kritis atuestations to the rescue...

  5. Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 4 b) admitted 4 b) admitted vuln Pod

  6. Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD vuln Pod

  7. Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD vuln Pod

  8. Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD attestation vuln Pod

  9. Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD attestation vuln Pod Pod

  10. Kritis: Admission Flow k8s CVE-2019-9919 Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD attestation vuln Pod Pod

  11. Kritis: Admission Flow k8s CVE-2019-9919 Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod

  12. Kritis: Admission Flow k8s CVE-2019-9919 Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 7. admitted 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod Pod Pod

  13. Discovering new vulnerabilities in admitued containers ...

  14. Kritis: Background Cron k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 7. admitted 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod Pod Pod

  15. Kritis: Background Cron k8s Kritis 1. Admission Background WebHook kubectl Request Cron apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 7. admitted 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod Pod Pod

  16. Kritis: Background Cron k8s Kritis 1. Admission Background WebHook kubectl Request Cron apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 7. admitted 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod Pod Pod

  17. Kritis: Background Cron k8s Kritis 1. Admission Background WebHook kubectl Request Cron apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 7. admitted 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod Pod Pod

  18. Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations

  19. Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations ● Custom Resource Definitions (CRDs) ○ Extension of k8s API ○ Used to store enforcement policies as k8s objects

  20. Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations ● Custom Resource Definitions (CRDs) ○ Extension of k8s API ○ Used to store enforcement policies as k8s objects ● Validating Admission Webhook ○ HTTP callbacks receive admission request: accept/reject to enforce custom admission policies

  21. GenericAtuestationPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: GenericAttestationPolicy metadata: name: my-gap spec: attestationAuthorities: - my-attestor - deploy-attestor

  22. AtuestationAuthority CRD apiVersion: kritis.grafeas.io/v1beta1 kind: AttestationAuthority metadata: name: my-attestor spec: privateKeySecretName: my-kubernetes-secret publicData: “-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFvJLhwBCADCiNJAJkFUwYrH=vmny ... -----END PGP PUBLIC KEY BLOCK-----” noteReference: v1beta1/projects/my-project

  23. ImageSecurityPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp spec: imageWhitelist: - gcr.io/kritis-int-test/nginx-digest-whitelist:latest packageVulnerabilityRequirements: maximumSeverity: MEDIUM whitelistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081

  24. Kritis Open source , built with the community Plugs into the k8s admission controller Ensure vulnerability scanning before deployment Attest images and verify before deployment Apply consistent deploy policy across k8s github.com/grafeas/kritis environments kritis-users@googlegroups.com

  25. In This Talk 1 2 3 4 Kritis & Software Grafeas Kritis Grafeas 0.1.0 Supply Chain Management

  26. In This Talk 1 2 3 4 Kritis & Software Grafeas Kritis Grafeas 0.1.0 Supply Chain Management

  27. Grafeas Write code Code Checkin Build Image Test & Verifjcation QA github.com/grafeas/grafeas Deploy to Production

  28. Grafeas: Aruifact Metadata API

  29. Grafeas: Aruifact Metadata API = images, binaries, packages...

  30. Grafeas: Aruifact Metadata API = build, deployment, vulnerability, ...

  31. Grafeas: Aruifact Metadata API = store & retrieve metadata about artifacts

  32. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note

  33. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note ● Occurrences: instance of note in an artifact ○ e.g. CVE presence in an image

  34. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note ● Occurrences: instance of note in an artifact ○ e.g. CVE presence in an image ● Providers and Consumers

  35. Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note ● Occurrences: instance of note in an artifact ○ e.g. CVE presence in an image ● Providers and Consumers

  36. Grafeas: Providers and Consumers Grafeas

  37. Grafeas: Providers and Consumers Vulnerability Scanning Grafeas

  38. Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Notes (CVEs) Grafeas

  39. Grafeas: Providers and Consumers Vulnerability Scanning Store Store vulnerability vulnerability Notes (CVEs) Ocurrences for containers Grafeas

  40. Grafeas: Providers and Consumers Vulnerability Kritis Scanning Store Store vulnerability vulnerability Notes (CVEs) Ocurrences for containers Grafeas

  41. Grafeas: Providers and Consumers Vulnerability Kritis Scanning Store Store vulnerability vulnerability Read vulnerability Notes (CVEs) Ocurrences for Occurrences for containers container Grafeas

  42. Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence

  43. Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence

  44. Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence ● Kind specific schemas

  45. Grafeas: Deployment Note // An artifact that can be deployed in some runtime. message DeploymentNote { // Required. Resource URI for the artifact being deployed. repeated string resource_uri = 1; }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Green Supply Chain Management Presented by: Sandeep Sharma 11 th Global Supply Chain and

Green Supply Chain Management Presented by: Sandeep Sharma 11 th Global Supply Chain and

Presentation Title Green Supply Chain Management Presented by: Sandeep Sharma 11 th Global Supply Chain and Logistics Summit 28 Nov 2018 www.sclgsummit.org Green Supply Chain Green supply chain management is defined as "the process of

912 views • 8 slides
Lectures 1&2: Introduction to Supply Chain Management Supply Chain Management Quality

Lectures 1&2: Introduction to Supply Chain Management Supply Chain Management Quality

Lectures 1&2: Introduction to Lectures 1&2: Introduction to Supply Chain Management Supply Chain Management Quality Assurance in Supply Chain Management (INSE 6300/4-UU) Winter 2011 Overview Overview Course Outline

507 views • 31 slides
Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains?

Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains?

Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains? Kenneth J. Petersen Helen Robson Walton Endowed Chair Director, Division of Marketing & Supply Chain Management Price College of Business

892 views • 51 slides
Supply Chain Dr. Lai Ving Kam , Associate Professor Logistics and Supply Chain Management Berjaya

Supply Chain Dr. Lai Ving Kam , Associate Professor Logistics and Supply Chain Management Berjaya

Continuous Cost Reduction Resilience in Adaptive Responsive Supply Chain Dr. Lai Ving Kam , Associate Professor Logistics and Supply Chain Management Berjaya University College of Hospitality, Kuala Lumpur, Malaysia Email:

837 views • 31 slides
Regulatory, Manufacturing and Supply Chain Aspects Session 5: Supply Chain Management and

Regulatory, Manufacturing and Supply Chain Aspects Session 5: Supply Chain Management and

Polpharma Regulatory, Manufacturing and Supply Chain Aspects Session 5: Supply Chain Management and Surveillance Mariona Senis, Medichem SA Josep Maria de Ciura, Medichem SA EMA Sartans with N-nitrosamine impurities Lessons Learnt Exercise -

545 views • 10 slides
IM 2010: Operations Research, Spring 2014 Supply Chain Management Ling-Chieh Kung Department of

IM 2010: Operations Research, Spring 2014 Supply Chain Management Ling-Chieh Kung Department of

Supply chain coordination Chain-to-chain competition IM 2010: Operations Research, Spring 2014 Supply Chain Management Ling-Chieh Kung Department of Information Management National Taiwan University May 29, 20141 Supply Chain Management 1 /

954 views • 36 slides
Lectures 1&2: Introduction to Overview Overview Supply Chain Management Supply Chain

Lectures 1&2: Introduction to Overview Overview Supply Chain Management Supply Chain

Lectures 1&2: Introduction to Lectures 1&2: Introduction to Overview Overview Supply Chain Management Supply Chain Management Course Outline Preliminary Notions Objective and Importance of Supply Chain Quality

1.16k views • 31 slides
Council of Supply Chain Management Professionals January 14, 2016 Raw Material Purchasing

Council of Supply Chain Management Professionals January 14, 2016 Raw Material Purchasing

Council of Supply Chain Management Professionals January 14, 2016 Raw Material Purchasing Manufacturers DC Customers DC Consumer Factory Rick D. Blasgen President & CEO CSCMP What is a Supply Chain? A Typical Supply Chain

646 views • 64 slides
Supply Chain Risk Management

Supply Chain Risk Management

Supply Chain Risk Management Getting the Balance Right Health & Safety and Supply Chain Risk Management Introductions Supply Chain Risk Management

585 views • 32 slides
CIRCULAR BUSINESS MODEL IN SUPPLY CHAIN MANAGEMENT 2016 SMU Logistics & Supply Chain

CIRCULAR BUSINESS MODEL IN SUPPLY CHAIN MANAGEMENT 2016 SMU Logistics & Supply Chain

CIRCULAR BUSINESS MODEL IN SUPPLY CHAIN MANAGEMENT 2016 SMU Logistics & Supply Chain Symposium Katharina Tomoff Singapore, 7 March 2016 Corporate Communications and Responsibility Corporate Responsibility is part of our Strategy 2020

322 views • 14 slides
COMPARATIVE STUDY OF LEAN AND AGILE SUPPLY CHAIN MANAGEMENT ALONG WITH THE OPTIMAL MODEL

COMPARATIVE STUDY OF LEAN AND AGILE SUPPLY CHAIN MANAGEMENT ALONG WITH THE OPTIMAL MODEL

Kuwait Chapter of Arabian Journal of Business and M anagement Review Vol. 1, No.4; December 2011 COMPARATIVE STUDY OF LEAN AND AGILE SUPPLY CHAIN MANAGEMENT ALONG WITH THE OPTIMAL MODEL PRESENTATION OF AGILE SUPPLY CHAIN MANAGEMENT Shahram

233 views • 11 slides
MANUFACTURING RISK ASSESSMENT FOR EARLY STAGE PHARMACEUTICALS MIT SUPPLY CHAIN MANAGEMENT

MANUFACTURING RISK ASSESSMENT FOR EARLY STAGE PHARMACEUTICALS MIT SUPPLY CHAIN MANAGEMENT

MANUFACTURING RISK ASSESSMENT FOR EARLY STAGE PHARMACEUTICALS MIT SUPPLY CHAIN MANAGEMENT RESEARCH THESIS PRESENTATION MAY 2017 THESIS WRITERS AND CONTRIBUTORS Emily Chen, Author MIT Masters of Engineering in Supply Chain Management candidate

299 views • 15 slides
Local logistical management in the cold food supply chain by using intelligent packaging devices

Local logistical management in the cold food supply chain by using intelligent packaging devices

Local logistical management in the cold food supply chain by using intelligent packaging devices Paul Bartels, Seth-Oscar Tromp, Hajo Rijgersberg & Joost Snels Wageningen UR Food & Biobased Research, Supply Chain Management 1 Logistics

204 views • 19 slides
Essentials of Supply Chain Management - The Basics Produced by Discovery Executive Services The

Essentials of Supply Chain Management - The Basics Produced by Discovery Executive Services The

Essentials of Supply Chain Management - The Basics Produced by Discovery Executive Services The Supply Chain Workshop Series November 12 13, 2013 Columbus, Ohio Reserve The Date And Send In Your Reservation! Act now to get in on this exciting

330 views • 5 slides
Women in Supply Chain Succession Planning in Organizations Thursday, August 27, 12:00 p.m.

Women in Supply Chain Succession Planning in Organizations Thursday, August 27, 12:00 p.m.

Women in Supply Chain Succession Planning in Organizations Thursday, August 27, 12:00 p.m. 1:00 p.m. Center for Supply Chain Management The Center for Supply Chain management focuses on supporting our students through: Applied

2.18k views • 15 slides
Supply Chain Management Regional Municipality of Wood Buffalo 2016 Future Projects Summit

Supply Chain Management Regional Municipality of Wood Buffalo 2016 Future Projects Summit

Supply Chain Management Regional Municipality of Wood Buffalo 2016 Future Projects Summit February 25, 2016 www.rmwb.ca Supply Chain Organization Procurement Supply Chain Accounts Payable Stores Measurements & Reporting www.rmwb.ca

370 views • 17 slides
Dunton Locks Envisioning Workshop Community Workshop Explore Current and Future Recreational

Dunton Locks Envisioning Workshop Community Workshop Explore Current and Future Recreational

Dunton Locks Envisioning Workshop Community Workshop Explore Current and Future Recreational Uses March 7, 2016 CRD Thank You and Adjourn Workshop Exercises Next Steps Summary Report and Comments From Participants Signage and Wayfinding

273 views • 24 slides
PROSPERO: an international prospective register of systematic review protocols Alison Booth Mike

PROSPERO: an international prospective register of systematic review protocols Alison Booth Mike

PROSPERO: an international prospective register of systematic review protocols Alison Booth Mike Clarke Davina Ghersi David Moher Mark Petticrew Lesley Stewart Prospective registration of systematic review protocols PRISMA 2009 advocated

377 views • 20 slides
Evidence-Based Software Engineering Barbara Kitchenham Tore Dyb (SINTEF) Magne Jrgensen

Evidence-Based Software Engineering Barbara Kitchenham Tore Dyb (SINTEF) Magne Jrgensen

Evidence-Based Software Engineering Barbara Kitchenham Tore Dyb (SINTEF) Magne Jrgensen (Simula Laboratory) 1 Agenda The evidence-based paradigm Evidence-Based Software Engineering (EBSE) Goals Procedures Comparison

390 views • 25 slides
NSERC Partnership Grants Alejandra de Almeida NSERC Ontario Regional Office Federal Tri-Council

NSERC Partnership Grants Alejandra de Almeida NSERC Ontario Regional Office Federal Tri-Council

NSERC Partnership Grants Alejandra de Almeida NSERC Ontario Regional Office Federal Tri-Council Funding Agencies Natural Sciences & Engineering Social Health Sciences & Humanities INNOVATIO IN TION EN ENGAGE CO COLLABORATE

380 views • 21 slides
FINANCIAL AID SERVICES SEMESTER AND SUMMER STUDENT AID RESOURCES PRESENTATION FEBRUARY 19, 2019

FINANCIAL AID SERVICES SEMESTER AND SUMMER STUDENT AID RESOURCES PRESENTATION FEBRUARY 19, 2019

FINANCIAL AID SERVICES SEMESTER AND SUMMER STUDENT AID RESOURCES PRESENTATION FEBRUARY 19, 2019 PRESENTERS Alkida Shtembari Assistant Director and Scholarships Specialist Elizabeth (Betty) Riquez Director ATTACHMENTS 1.How to

273 views • 15 slides
Directive Brussels, 11 December 2013 Martins Prieditis, DG JUST A3 CRD implementation process

Directive Brussels, 11 December 2013 Martins Prieditis, DG JUST A3 CRD implementation process

Guidance on the Consumer Rights Directive Brussels, 11 December 2013 Martins Prieditis, DG JUST A3 CRD implementation process Transposition deadline 13 December 2013 Since September 2012 three multilateral meetings with

336 views • 15 slides
Corporate Presentation 2018 FORWARD LOOKING STATEMENT This presentation is intended to be

Corporate Presentation 2018 FORWARD LOOKING STATEMENT This presentation is intended to be

Corporate Presentation 2018 FORWARD LOOKING STATEMENT This presentation is intended to be strictly informational. The Company reserves the right, at its sole discretion, to modify all or any part of this presentation without any liability or

391 views • 22 slides
Whats New with RiskCalc Plus and Private EDFs? Douglas Dwyer, Managing Director, Single

Whats New with RiskCalc Plus and Private EDFs? Douglas Dwyer, Managing Director, Single

Whats New with RiskCalc Plus and Private EDFs? Douglas Dwyer, Managing Director, Single Obligor Research Janet Zhao, Associate Director, Single Obligor Research Mehna Raissi , Associate Director, Single Obligor Product Management 2 Agenda 1.

481 views • 29 slides

More recommend