Software Supply Chain is a collective term used to describe the continuous integration and delivery pipelines. In addition, it refers to the observability tools that track what happens to a piece of code from the moment it’s in the source code to when it gets deployed, and everywhere in between. Grafeas is an open-source artifact metadata API to audit and govern your software supply chain. It's built as an industry standard for storing and retrieving metadata about software resources. Kritis is an open-source solution for securing your software supply chain for Kubernetes applications. It enforces deploy-time security policies using Grafeas. This talk will discuss the goals for each of the two open source projects, dive into the examples of how they can be used to secure your company's software supply chain, and conclude with the details of current and future development.

1. Software Supply Chain Management
with Grafeas and Kritis
Aysylu Greenberg May 20 2019
@aysylu22

2. Software Supply Chain with Grafeas & Kritis
Build &
Deploy

3. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy

4. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks

5. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Grafeas backed storage
vulnerabilities, build info, etc.

6. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Kritis
Admission
controller
Grafeas backed storage
vulnerabilities, build info, etc.

7. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Grafeas backed storage
vulnerabilities, build info, etc.

8. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Production
Grafeas backed storage
vulnerabilities, build info, etc.

9. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Grafeas backed storage
vulnerabilities, build info, etc.
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Production

10. Grafeas & Kritis
Binary
Authorization
Container Registry
Vulnerability
Scanning

11. Grafeas:
Artifact Metadata API

12. Grafeas:
Artifact Metadata API
= images, binaries, packages...

13. Grafeas:
Artifact Metadata API
= build, deployment, vulnerability, ...

14. Grafeas:
Artifact Metadata API
= store & retrieve metadata about artifacts

15. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note

16. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image

17. Grafeas: Terminology (cont'd)
● Resource URL: identifier for artifact in Occurrence

18. Grafeas: Terminology (cont'd)
● Resource URL: identifier for artifact in Occurrence

19. Grafeas: Terminology (cont'd)
● Resource URL: identifier for artifact in Occurrence
● Kind specific schemas

20. Grafeas: Deployment Note
// An artifact that can be deployed in some runtime.
message DeploymentNote {
// Required. Resource URI for the artifact being deployed.
repeated string resource_uri = 1;
}

21. Grafeas: Deployment Occurrence
// The period during which some deployable was active in a runtime.
message DeploymentOccurrence {
// Identity of the user that triggered this deployment.
string user_email = 1;
// Required. Beginning of the lifetime of this deployment.
google.protobuf.Timestamp deploy_time = 2;
// Output only. Resource URI for the artifact being deployed taken
from the deployable field with the same name.
repeated string resource_uri = 6;
...}

22. Grafeas
Open artifact metadata standard with
contributions from the industry
Audit and govern your software supply chain
Knowledge base for on-premises and cloud
clusters
API with pluggable storage backendsgithub.com/grafeas/grafeas
grafeas-users@googlegroups.com
grafeas-dev@googlegroups.com
@Grafeasio

23. Kritis:
Deploy-Time Policy Verifier

24. Let's deploy our
e-commerce website...

25. Kritis: Admission Flow
$ kubectl apply site.yaml

26. Kritis: Admission Flow
kubectl
apply
site.yaml

27. Kritis: Admission Flow
k8s
kubectl
apply
site.yaml

28. Kritis: Admission Flow
k8sKritis
kubectl
apply
site.yaml

29. Kritis: Admission Flow
k8sKritis
kubectl
apply
site.yaml
$ helm install <path>/kritis-charts-0.1.0.tgz

30. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
Pod
spec
1. Admission
Request
Kritis

31. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis

32. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review

33. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies

34. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD

35. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator

36. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas

37. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas

38. Oh no! Vulnerability scan
isn't finished...

39. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 a)
denied
4 a)
denied

40. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 a)
denied
4 a)
denied
Pod

41. Vulnerability scanning is
finished!
CVE-2019-5514 is found...

42. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln

43. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 a)
denied
Pod
vuln

44. Whitelist CVE-2019-5514
because it doesn't affect
the website...

45. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln

46. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
vuln

47. It's time to scale up your site!
$ kubectl scale deployments/site --replicas=4

48. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
Pod PodPod Pod vuln

49. A new vulnerability is
found during scale up...
CVE-2019-9919

50. vuln
Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
Pod PodPod Pod
CVE-2019-9919

51. Kritis attestations to the
rescue...

52. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
vuln

53. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
vuln

54. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
vuln

55. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation

56. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod

57. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
CVE-2019-9919

58. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
CVE-2019-9919
6. Fetch
attestations
for admitted
image

59. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
CVE-2019-9919
6. Fetch
attestations
for admitted
image
Pod Pod
7. admitted

60. Discovering new
vulnerabilities in admitted
containers ...

61. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
7. admitted

62. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted

63. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted

64. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted

65. Kritis Terminology
● Custom Resource Definitions (CRDs)
○ Extension of k8s API
○ Used to store enforcement policies as k8s objects
● Validating Admission Webhook
○ HTTP callbacks receive admission request: accept/reject
to enforce custom admission policies

66. ImageSecurityPolicy CRD
apiVersion: kritis.grafeas.io/v1beta1
kind: ImageSecurityPolicy
metadata:
name: my-isp
spec:
imageWhitelist:
- gcr.io/kritis-int-test/nginx-digest-whitelist:latest
packageVulnerabilityRequirements:
maximumSeverity: MEDIUM
whitelistCVEs:
- providers/goog-vulnz/notes/CVE-2017-1000082
- providers/goog-vulnz/notes/CVE-2017-1000081

67. Kritis
Open source, built with the community
Plugs into the k8s admission controller
Ensure vulnerability scanning before deployment
Attest images and verify before deployment
Apply consistent deploy policy across k8s
environmentsgithub.com/grafeas/kritis
kritis-users@googlegroups.com

68. Coming soon... 0.1.0

69. Goals
Enable users to start experimenting with Kritis and Grafeas
Move towards hybrid-cloud support
Gather community feedback
0.1.0

70. 0.1.0
Scope
Standalone Kritis on Kubernetes with standalone Grafeas

71. 0.1.0User Journeys
Allow deployment of a container to Kubernetes cluster
Block deployment of an unadmitted container to the
cluster

72. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
Features
0.1.0

73. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
● Kritis:
○ GenericAttestationPolicy
○ Default admittance fallback policy is well-defined
○ Configurable
Features
0.1.0

74. Learn more and follow along!
github.com/grafeas/{grafeas,kritis}
Google Groups: {grafeas,kritis}-users, grafeas-dev
@grafeasio
Gracias!
0.1.0