Grafeas, a like-minded open source initiative for auditing and governing the software supply chain

Open Source Project Grafeas Enforces Kubernetes Supply Chain Security

New open source project seeks to ensure that containers are secure at deployment.

Security at the data center isn't getting any easier. It's true that security experts are constantly coming up with new techniques to help keep the bad guys away, but at the same time, developers are constantly increasing the complexity of the software they create. This includes not only the complexity of apps, but also the underlying software for delivering them.

An example, if you need one, would be containers. For all practical purposes, containers didn't exist five years ago and now something like half of all enterprises use them extensively. Containers not only bring new security challenges built-in to their infrastructure, their portability means companies using them are running much more software than before, offering a bigger target for black hats who manage to breach perimeter security and gain access to servers.

To state the obvious: securing containers is essential.

Last week Brian Gracely, Red Hat's director of product strategy, said as much to ITPro when talking about the Open Container Initiative, which is working to set container standards. OCI 1.0, released in July, set standards for runtime and formats, with security being the next focus on the initiative's agenda. Specifically, Gracely said, OCI is going to focus on standards for signing container software and on scanning containers for security vulnerabilities and malware.

It's not surprising then that Google, with help from JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and CoreOS, announced on Thursday that it's been working on Grafeas, a like-minded open source initiative for auditing and governing the software supply chain. It does so using an API to define the metadata associated with the software. It allows for things like auditing software in its use environment or noting changes made to software.

Although Grafeas isn't container specific, that's really what it's all about. It includes Kritis, a policy engine for enforcing secure software supply chain policies that connects to Kubernetes using the ImagePolicyWebHook plugin. According to Google, Kritis offers "real-time enforcement of container properties at deploy time for Kubernetes clusters based on attestations of container image properties" that are stored in Grafeas.

A blog posted Thursday by Shopify, which markets e-commerce solutions, offers a short bullet list of "attestation" examples that it's put into practice:

  • This container has been built by us
  • This container comes from our (or a trusted) container repository
  • This container does not run as root
  • This container passes CI tests
  • This container does not introduce any new vulnerabilities (scanned)
  • This container is deployed with the appropriate security context

The attestations are signature-based to protect against forgery. However, Stephen Elliot, product manager of Google Cloud, told eWEEK that although Grafeas is cryptographically secure, potential tampering isn't prevented by default. In the initial release, the keys are under control of user administrators, who will need to configure their own enforcement policy.

Shopify, which has already been using Grafeas, builds 6,000 containers per day and has 330,000 images in its container registry.

"By integrating Grafeas and Kritis into our Kubernetes pipeline, we are now able to automatically store vulnerability and build information about every container image that we create and strictly enforce a built-by-Shopify policy: our Kubernetes clusters only run images signed by our builder," the company's senior security engineer, Jonathan Pulsifer, said in a statement. "Grafeas and Kritis actually help us achieve better security while letting developers focus on their code."

Grafeas is available on GitHub.

TAGS: Open Source
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish