Sofuware Supply Chain Management with Grafeas and Kritis Aysylu - PowerPoint PPT Presentation

Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD vuln Pod Pod Pod Pod

A new vulnerability is found during scale up... CVE-2019-9919

Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD CVE-2019-9919 vuln Pod Pod Pod Pod

Kritis atuestations to the rescue...

Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 4 b) admitted 4 b) admitted vuln Pod

Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD vuln Pod

Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD vuln Pod

Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD attestation vuln Pod

Kritis: Admission Flow k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD attestation vuln Pod Pod

Kritis: Admission Flow k8s CVE-2019-9919 Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted Attestation Attestor Authority CRD attestation vuln Pod Pod

Kritis: Admission Flow k8s CVE-2019-9919 Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod

Kritis: Admission Flow k8s CVE-2019-9919 Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 7. admitted 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod Pod Pod

Discovering new vulnerabilities in admitued containers ...

Kritis: Background Cron k8s Kritis 1. Admission WebHook kubectl Request apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 7. admitted 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod Pod Pod

Kritis: Background Cron k8s Kritis 1. Admission Background WebHook kubectl Request Cron apply 2. review Pod site.yaml Policies spec Image Security Validator ns:qa ns:prod ns:prod Image 3. Fetch Image Image Security Grafeas metadata Security Security Policy Policy Policy CRD CRD CRD 5. Store attestations for admitted images 7. admitted 4 b) admitted 4 b) admitted 6. Fetch Attestation Attestor Authority CRD attestations for admitted attestation image vuln Pod Pod Pod Pod

Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations

Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations ● Custom Resource Definitions (CRDs) ○ Extension of k8s API ○ Used to store enforcement policies as k8s objects

Kritis Terminology ● Grafeas metadata API ○ Retrieve vulnerability data for images ○ Store and retrieve attestations ● Custom Resource Definitions (CRDs) ○ Extension of k8s API ○ Used to store enforcement policies as k8s objects ● Validating Admission Webhook ○ HTTP callbacks receive admission request: accept/reject to enforce custom admission policies

GenericAtuestationPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: GenericAttestationPolicy metadata: name: my-gap spec: attestationAuthorities: - my-attestor - deploy-attestor

AtuestationAuthority CRD apiVersion: kritis.grafeas.io/v1beta1 kind: AttestationAuthority metadata: name: my-attestor spec: privateKeySecretName: my-kubernetes-secret publicData: “-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBFvJLhwBCADCiNJAJkFUwYrH=vmny ... -----END PGP PUBLIC KEY BLOCK-----” noteReference: v1beta1/projects/my-project

ImageSecurityPolicy CRD apiVersion: kritis.grafeas.io/v1beta1 kind: ImageSecurityPolicy metadata: name: my-isp spec: imageWhitelist: - gcr.io/kritis-int-test/nginx-digest-whitelist:latest packageVulnerabilityRequirements: maximumSeverity: MEDIUM whitelistCVEs: - providers/goog-vulnz/notes/CVE-2017-1000082 - providers/goog-vulnz/notes/CVE-2017-1000081

Kritis Open source , built with the community Plugs into the k8s admission controller Ensure vulnerability scanning before deployment Attest images and verify before deployment Apply consistent deploy policy across k8s github.com/grafeas/kritis environments kritis-users@googlegroups.com

In This Talk 1 2 3 4 Kritis & Software Grafeas Kritis Grafeas 0.1.0 Supply Chain Management

Grafeas Write code Code Checkin Build Image Test & Verifjcation QA github.com/grafeas/grafeas Deploy to Production

Grafeas: Aruifact Metadata API

Grafeas: Aruifact Metadata API = images, binaries, packages...

Grafeas: Aruifact Metadata API = build, deployment, vulnerability, ...

Grafeas: Aruifact Metadata API = store & retrieve metadata about artifacts

Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note

Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note ● Occurrences: instance of note in an artifact ○ e.g. CVE presence in an image

Grafeas: Terminology ● Notes: high-level description of types of metadata ○ e.g. Common Vulnerabilities and Exposures (CVE) as Vulnerability Note ● Occurrences: instance of note in an artifact ○ e.g. CVE presence in an image ● Providers and Consumers

Grafeas: Providers and Consumers Grafeas

Grafeas: Providers and Consumers Vulnerability Scanning Grafeas

Grafeas: Providers and Consumers Vulnerability Scanning Store vulnerability Notes (CVEs) Grafeas

Grafeas: Providers and Consumers Vulnerability Scanning Store Store vulnerability vulnerability Notes (CVEs) Ocurrences for containers Grafeas

Grafeas: Providers and Consumers Vulnerability Kritis Scanning Store Store vulnerability vulnerability Notes (CVEs) Ocurrences for containers Grafeas

Grafeas: Providers and Consumers Vulnerability Kritis Scanning Store Store vulnerability vulnerability Read vulnerability Notes (CVEs) Ocurrences for Occurrences for containers container Grafeas

Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence

Grafeas: Terminology (cont'd) ● Resource URL: identifier for artifact in Occurrence ● Kind specific schemas

Grafeas: Deployment Note // An artifact that can be deployed in some runtime. message DeploymentNote { // Required. Resource URI for the artifact being deployed. repeated string resource_uri = 1; }

Sofuware Supply Chain Management with Grafeas and Kritis Aysylu - PowerPoint PPT Presentation

Sofuware Supply Chain Management with Grafeas and Kritis Aysylu Greenberg May 8 2019 Photo via https://www.goodfreephotos.com/ Aysylu Greenberg Aysylu Greenberg - Sr Sofuware Engineer @Google Aysylu Greenberg - Sr Sofuware Engineer

Green Supply Chain Management Presented by: Sandeep Sharma 11 th Global Supply Chain and

Lectures 1&2: Introduction to Supply Chain Management Supply Chain Management Quality

Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains?

Supply Chain Dr. Lai Ving Kam , Associate Professor Logistics and Supply Chain Management Berjaya

Regulatory, Manufacturing and Supply Chain Aspects Session 5: Supply Chain Management and

IM 2010: Operations Research, Spring 2014 Supply Chain Management Ling-Chieh Kung Department of

Lectures 1&2: Introduction to Overview Overview Supply Chain Management Supply Chain

Council of Supply Chain Management Professionals January 14, 2016 Raw Material Purchasing

Supply Chain Risk Management

CIRCULAR BUSINESS MODEL IN SUPPLY CHAIN MANAGEMENT 2016 SMU Logistics & Supply Chain

COMPARATIVE STUDY OF LEAN AND AGILE SUPPLY CHAIN MANAGEMENT ALONG WITH THE OPTIMAL MODEL

MANUFACTURING RISK ASSESSMENT FOR EARLY STAGE PHARMACEUTICALS MIT SUPPLY CHAIN MANAGEMENT

Local logistical management in the cold food supply chain by using intelligent packaging devices

Essentials of Supply Chain Management - The Basics Produced by Discovery Executive Services The

Women in Supply Chain Succession Planning in Organizations Thursday, August 27, 12:00 p.m.

Supply Chain Management Regional Municipality of Wood Buffalo 2016 Future Projects Summit

Capacity and characteristics of the Private-For-Profit sector supply chain for modern

OPEN DAY 2020 WELCOME TO THE GRADUATE DIPLOMA (HD) PROGRAMME IN SUPPLY CHAIN MANAGEMENT Open

Supply Chain Division Mandesh Dosanjh Grocery Quality Supply Chain Logistics Operations

Supply Chain Risk Management Howard Gugel, Senior Director of Standards and Education Member

- 1 - Beyond the Horizon: Next Generation Supply Chain Presented to: Grand Rapids Joint PDM

Powering the Supply Chain of the Future EXIM CHAIN creates blockchain-enabled applications to

Supply Chain Integration For Integrity Policy and architecture for built-in supply chain

Block-Supply Chain: A New Anti- Counterfeiting Supply Chain Using NFC and Blockchain By: Naif

Sofuware Supply Chain Management with Grafeas and Kritis Aysylu - PowerPoint PPT Presentation

Sofuware Supply Chain Management with Grafeas and Kritis Aysylu Greenberg May 8 2019 Photo via https://www.goodfreephotos.com/ Aysylu Greenberg Aysylu Greenberg - Sr Sofuware Engineer @Google Aysylu Greenberg - Sr Sofuware Engineer

Green Supply Chain Management Presented by: Sandeep Sharma 11 th Global Supply Chain and

Lectures 1&amp;2: Introduction to Supply Chain Management Supply Chain Management Quality

Supply Chain Management in the New World How will the Global Pandemic Impact Supply Chains?

Supply Chain Dr. Lai Ving Kam , Associate Professor Logistics and Supply Chain Management Berjaya

Regulatory, Manufacturing and Supply Chain Aspects Session 5: Supply Chain Management and

IM 2010: Operations Research, Spring 2014 Supply Chain Management Ling-Chieh Kung Department of

Lectures 1&amp;2: Introduction to Overview Overview Supply Chain Management Supply Chain

Council of Supply Chain Management Professionals January 14, 2016 Raw Material Purchasing

Supply Chain Risk Management

CIRCULAR BUSINESS MODEL IN SUPPLY CHAIN MANAGEMENT 2016 SMU Logistics &amp; Supply Chain

COMPARATIVE STUDY OF LEAN AND AGILE SUPPLY CHAIN MANAGEMENT ALONG WITH THE OPTIMAL MODEL

MANUFACTURING RISK ASSESSMENT FOR EARLY STAGE PHARMACEUTICALS MIT SUPPLY CHAIN MANAGEMENT

Local logistical management in the cold food supply chain by using intelligent packaging devices

Essentials of Supply Chain Management - The Basics Produced by Discovery Executive Services The

Women in Supply Chain Succession Planning in Organizations Thursday, August 27, 12:00 p.m.

Supply Chain Management Regional Municipality of Wood Buffalo 2016 Future Projects Summit

Capacity and characteristics of the Private-For-Profit sector supply chain for modern

OPEN DAY 2020 WELCOME TO THE GRADUATE DIPLOMA (HD) PROGRAMME IN SUPPLY CHAIN MANAGEMENT Open

Supply Chain Division Mandesh Dosanjh Grocery Quality Supply Chain Logistics Operations

Supply Chain Risk Management Howard Gugel, Senior Director of Standards and Education Member

- 1 - Beyond the Horizon: Next Generation Supply Chain Presented to: Grand Rapids Joint PDM

Powering the Supply Chain of the Future EXIM CHAIN creates blockchain-enabled applications to

Supply Chain Integration For Integrity Policy and architecture for built-in supply chain

Block-Supply Chain: A New Anti- Counterfeiting Supply Chain Using NFC and Blockchain By: Naif

Lectures 1&2: Introduction to Supply Chain Management Supply Chain Management Quality

Lectures 1&2: Introduction to Overview Overview Supply Chain Management Supply Chain

CIRCULAR BUSINESS MODEL IN SUPPLY CHAIN MANAGEMENT 2016 SMU Logistics & Supply Chain