Software Supply Chain is a collective term used to describe the continuous integration and delivery pipelines. In addition, it refers to the observability tools that track what happens to a piece of code from the moment it’s in the source code to when it gets deployed, and everywhere in between. Grafeas (https://grafeas.io/) is an open-source artifact metadata API to audit and govern your software supply chain. It's built as an industry standard for storing and retrieving metadata about software resources. Kritis (https://github.com/grafeas/kritis) is an open-source solution for securing your software supply chain for Kubernetes applications. It enforces deploy-time security policies using Grafeas. This talk will discuss the goals for each of the two open source projects, dive into the examples of how they can be used to secure your company's software supply chain, and conclude with the details of current and future development.

1. Software Supply Chain Observability
with Grafeas and Kritis
Aysylu Greenberg June 4 2019
Photo via https://www.goodfreephotos.com/

2. Aysylu
Greenberg
- Sr Software Engineer
@Google

3. Aysylu
Greenberg
- Sr Software Engineer
@Google
- Eng Lead of
open-source Grafeas
and Kritis

4. Aysylu
Greenberg
- Sr Software Engineer
@Google
- Eng Lead of
open-source Grafeas
and Kritis
- @aysylu22

5. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

6. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

7. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

8. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

9. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

10. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

11. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
CI pipelines

12. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

13. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
CD pipelines

14. Software Supply
Chain Management
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

15. Software Supply
Chain Management
what happens to
code from source to
deployment?
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

16. Software Supply
Chain Management
what happens to
code from source to
deployment?
CI/CD pipelines,
observability tools
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

17. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy

18. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks

19. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Grafeas backed storage
vulnerabilities, build info, etc.

20. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Kritis
Admission
controller
Grafeas backed storage
vulnerabilities, build info, etc.

21. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Grafeas backed storage
vulnerabilities, build info, etc.

22. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Production
Grafeas backed storage
vulnerabilities, build info, etc.

23. Software Supply Chain with Grafeas & Kritis
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Grafeas backed storage
vulnerabilities, build info, etc.
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Production

24. Software Supply Chain Observability
CI/CD pipelines
Build &
Deploy
Secure
build
process
Automated
test, scan,
analysis
Deploy
checks
Grafeas backed storage
vulnerabilities, build info, etc.
Centralized metadata
knowledge base
Kritis
Admission
controller
Deploy time policy chokepoint
Enforce policies for
severity of vulnerabilities, image location, etc.
Production

25. Grafeas & Kritis
Binary
Authorization
Container Registry
Vulnerability
Scanning

26. Είναι όλα ελληνικά για μένα
[It's all Greek to me]

27. Grafeas & Kritis
JudgeScribe

28. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

29. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

30. Kritis
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
github.com/grafeas/kritis

31. Kritis:
Deploy-Time Policy Enforcer

32. Let's deploy our
e-commerce website...

33. Kritis: Admission Flow
$ kubectl apply site.yaml

34. Kritis: Admission Flow
kubectl
apply
site.yaml

35. Kritis: Admission Flow
k8s
kubectl
apply
site.yaml

36. Kritis: Admission Flow
k8sKritis
kubectl
apply
site.yaml

37. Kritis: Admission Flow
k8sKritis
kubectl
apply
site.yaml
$ helm install <path>/kritis-charts-0.1.0.tgz

38. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
Pod
spec
1. Admission
Request
Kritis

39. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis

40. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis

41. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review

42. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies

43. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD

44. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator

45. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas

46. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas

47. Oh no! Vulnerability scan
isn't finished...

48. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 a)
denied
4 a)
denied

49. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 a)
denied
4 a)
denied
Pod

50. Vulnerability scanning is
finished!
CVE-2019-5514 is found...

51. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln

52. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 a)
denied
Pod
vuln

53. Whitelist CVE-2019-5514
because it doesn't affect
the website...

54. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln

55. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
vuln

56. It's time to scale up your site!
$ kubectl scale deployments/site --replicas=4

57. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
Pod PodPod Pod vuln

58. A new vulnerability is
found during scale up...
CVE-2019-9919

59. vuln
Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
Pod PodPod Pod
CVE-2019-9919

60. Kritis attestations to the
rescue...

61. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
vuln

62. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
vuln

63. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
vuln

64. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation

65. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod

66. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
CVE-2019-9919

67. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
CVE-2019-9919
6. Fetch
attestations
for admitted
image

68. Kritis: Admission Flow
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
CVE-2019-9919
6. Fetch
attestations
for admitted
image
Pod Pod
7. admitted

69. Discovering new
vulnerabilities in admitted
containers ...

70. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
7. admitted

71. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted

72. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted

73. Kritis: Background Cron
kubectl
apply
site.yaml
k8s
WebHook
Pod
spec
1. Admission
Request
Kritis
2. review
Policies
ns:prod
Image
Security
Policy
CRD
ns:qa
Image
Security
Policy
CRD
ns:prod
Image
Security
Policy
CRD
Image
Security
Validator
3. Fetch
metadata Grafeas
vuln
4 b) admitted4 b) admitted
Pod
Attestor
Attestation
Authority CRD
5. Store attestations for
admitted images
attestation
Pod
6. Fetch
attestations
for admitted
image
Pod Pod
Background
Cron
7. admitted

74. ImageSecurityPolicy CRD
apiVersion: kritis.grafeas.io/v1beta1
kind: ImageSecurityPolicy
metadata:
name: my-isp
spec:
imageWhitelist:
- gcr.io/kritis-int-test/nginx-digest-whitelist:latest
packageVulnerabilityRequirements:
maximumSeverity: MEDIUM
whitelistCVEs:
- providers/goog-vulnz/notes/CVE-2017-1000082
- providers/goog-vulnz/notes/CVE-2017-1000081

75. Observability with Kritis

76. Observability with Kritis
When did the image deploy?

77. Observability with Kritis
When did the image deploy?
When did the image pass policy checks?

78. Observability with Kritis
When did the image deploy?
When did the image pass policy checks?
When did the image stop satisfying policy?

79. Kritis
Open source, built with the community
Plugs into the k8s admission controller
Attest images and verify before deployment
Apply consistent deploy policy across k8s
environments
github.com/grafeas/kritis
kritis-users@googlegroups.com

80. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

81. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

82. Grafeas
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA
github.com/grafeas/grafeas

83. Grafeas:
Artifact Metadata API

84. Grafeas:
Artifact Metadata API
= images, binaries, packages...

85. Grafeas:
Artifact Metadata API
= build, deployment, vulnerability, ...

86. Grafeas:
Artifact Metadata API
= store & retrieve metadata about artifacts

87. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note

88. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image

89. Grafeas: Terminology
● Notes: high-level description of types of metadata
○ e.g. Common Vulnerabilities and Exposures (CVE) as
Vulnerability Note
● Occurrences: instance of note in an artifact
○ e.g. CVE presence in an image

90. Grafeas: Terminology (cont'd)
● Resource URL: identifier for artifact in Occurrence

91. Grafeas: Terminology (cont'd)
● Resource URL: identifier for artifact in Occurrence

92. Grafeas: Terminology (cont'd)
● Resource URL: identifier for artifact in Occurrence
● Kind specific schemas

93. Grafeas: Deployment Note
// An artifact that can be deployed in some runtime.
message DeploymentNote {
// Required. Resource URI for the artifact being deployed.
repeated string resource_uri = 1;
}

94. Grafeas: Deployment Occurrence
// The period during which some deployable was active in a runtime.
message DeploymentOccurrence {
// Identity of the user that triggered this deployment.
string user_email = 1;
// Required. Beginning of the lifetime of this deployment.
google.protobuf.Timestamp deploy_time = 2;
// Output only. Resource URI for the artifact being deployed taken
from the deployable field with the same name.
repeated string resource_uri = 6;
...}

95. Observability
with Grafeas
Code Checkin
Test &
Verification
Write code
Build Image
Deploy to
Production
QA

96. Grafeas
Open artifact metadata standard with
contributions from the industry
Audit and govern your software supply chain
Knowledge base for on-premises and cloud
clusters
API with pluggable storage backendsgithub.com/grafeas/grafeas
grafeas-users@googlegroups.com
grafeas-dev@googlegroups.com
@Grafeasio

97. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

98. In This Talk
Software
Supply Chain
Management
Kritis Grafeas Kritis &
Grafeas 0.1.0
1 2 3 4

99. Coming soon... 0.1.0

100. Goals
Enable users to start experimenting with Kritis and Grafeas
Move towards hybrid-cloud support
Gather community feedback
0.1.0

101. 0.1.0
Scope
Standalone Kritis on Kubernetes with standalone Grafeas

102. 0.1.0
User Journeys
Allow deployment of a container to Kubernetes cluster
Block deployment of a unadmitted container to the cluster

103. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
Features
0.1.0

104. ● Grafeas:
○ Helm chart for Grafeas & published image
○ Standalone Grafeas server with Postgres storage backend
○ Basic support for Go client library
● Kritis:
○ GenericAttestationPolicy
○ Default admittance fallback policy is well-defined
○ Configurable
Features
0.1.0

105. Learn more and follow along!
github.com/grafeas/{grafeas,kritis}
Google Groups: {grafeas,kritis}-users, grafeas-dev
@grafeasio
0.1.0
#talk-aysylu-greenberg