SlideShare a Scribd company logo

Securing microservices continuous delivery using grafeas and kritis

V
Vishal Banthia

This talk is about how Microservices Platform team at Mercari is using Grafeas and Kritis to make Microservices Continuous Delivery Secure

Engineering
1 of 37
Download to read offline
Securing Microservices Continuous Delivery using Grafeas and Kritis
2 Vishal Banthia Software Engineer, Microservices Platform
3 ● What is a secure software supply chain? ● Grafeas approach ● How Microservices Platform is using Grafeas and Kritis to secure microservices Continuous Delivery? Agenda
4 In general, a secured software supply chain means that only authorized softwares are executed at each supply chain stage resulting in only authorized software getting deployed in production environment. Definition of “authorized” varies from organization to organization depending on security policies and their strictness. What is a Secure Software Supply Chain?
5 Some policy examples: ● Only vulnerability scanned and passed docker images are allowed ● Only QA verified software artifacts are allowed ● Only PM signed off software artifacts are allowed ● Only software artifacts which are passed during canary stage are allowed
Code DeployBuild Test Compute Engine Kubernete s Engine App Engine AWS EC2 AWS EC2 Software Supply Chain
7 In software supply chain stages, every stage consume some artifact and produce a new one. “By authorized at each stage”, it means that each stage is consuming a verified artifact based on organization policy. What does authorized at each stage means?
8 ● Only commits from authorized authors are allowed for build stage ● Only unit / integrations tests passed artifacts are allowed for QA or end to end testing ● Only unit / integrations tests passed artifacts are allowed for security scanning Some examples:
9 Traditionally, it is achieved by creating a process workflow or orchestration where each stage will run only when previous stage is passed. This can be done in various CI/CD tools or bots. One of the problem with this approach is that it is hard to govern whole supply chain from bird eye point of view. Metadata created by one stage are lost after next stage has consumed it How to achieve secure software supply chain?
Code DeployBuild Test Compute Engine Kubernete s Engine App Engine AWS EC2 AWS EC2 Software Supply Chain tests will only trigger when build is passed deploy will only trigger when tests are passed
Software Supply Chain Governance
12 Governance in software supply chain means that all the software artifacts deployed in production can be tracked. CTO/CIO has full visibility and can make policy changes. Software supply chain should be designed in such a way that new security policies can be added easily in whole organisation Security is something which should be forced from top-down IMO What does governance means in software supply chain?
15 CTO / CIO need to make this big decision ● Do not make any change and just hope that we are running good code 🤞 ● Make the change and let performance degrade by 40% Without data it is very difficult to make these kind of decisions. Software supply chain should be designed in a way that we can do these kind of analysis and make better action plans Untrusted Code? 🤔
16 Take Away ● Now we understand what is a secure software supply chain ● Why centralized governance is required in software supply chain
17 ● Growing and fragmented toolsets ● Microservices Architecture ● Open-Source software adoption What are the current problems?
18 Grafeas approach “An open artifact metadata API to audit and govern your software supply chain” Basically, instead of just using supply chain result metadata for next stage, store them in a metadata server so that, that information is not lost and can be used anytime in any stage.
20 Grafeas Components Metadata Server metadata server which store all the metadata information generated during various supply chain stages Policy enforcement tool tool which uses grafeas metadata using API and make decision based on configured policy. It is not exactly a grafeas component but without this supply chain will not be complete
build stage uses grafeas API to check if commit is allowed to build or not deploy stage uses grafeas API to check if artifact is QA verified and have not vulnerability before deploying
22 Take away! ● Using grafeas, we can store metadata of all supply chain stages in one centralised database ● Using policy enforcement tool, each stage can verify if incoming artifact is authorized or not
How microservices platform team is using Grafeas and Kritis to secure microservices Continuous Delivery?
24 Microservices Platform Architecture ● We use GCP ● Each microservice has its own dedicated GCP project and they are free to choose any service such as cloudsql, pub-sub etc ● We have a centralised GCP project which is managed by platform team and we run GKE there ● Each microservice has its own namespace and microservice owner only have access to their namespace ● We use Spinnaker for Continuous Delivery
25 GCP project for GKE Centralized cluster Namespace: Service A Namespace: Service B IAM: Platform Team IAM: Team A IAM: Team B Service A Service B RBAC: Team A RBAC: Team B
PM will confirm if feature is ready to release and ask developers to create tag QA will notify PM regarding QA results QA get notified and will do QA if necessary in dev environment if image-tag has some version, it will trigger deploy image to production cluster if image-tag has master-* prefix, it will deploy image to development cluster spinnaker start deployment pipeline based on image tag docker image is pushed to GCR cloudbuild triggers if tests passes and docker image is built developers push code to github (branch, master, tag) Software Supply Chain for Microservice circleci is triggered and it runs unit tests
PM will confirm if feature is ready to release and ask developers to create tag QA will notify PM regarding QA results QA get notified and will do QA if necessary in dev environment if image-tag has some version, it will trigger deploy image to production cluster if image-tag has master-* prefix, it will deploy image to development cluster spinnaker start deployment pipeline based on image tag docker image is pushed to GCR cloudbuild triggers if tests passes and docker image is built developers push code to github (branch, master, tag) Software Supply Chain for Microservice circleci is triggered and it runs unit tests
For secure microservices Continuous Delivery, we want to make sure that only authorized docker images get deployed to our production cluster only authorized docker images
29 What is authorized docker image for us? ● Image is built by service owner ● Image has been verified by security team for vulnerabilities ● Image has been signed by QA ● Image has been signed by PM ● …
30 ● We use GCP Container Analysis API which is implementation of Grafeas ● We use Kritis fork which is basically Policy Enforcement Tool for Kubernetes ○ Kritis is basically a Kubernetes admission webhook which get triggered whenever a new pod is created. Based on policy written in `ImageSecurityPolicy` CRD kirtis make judgement of allowing or denying that pod. Kritis uses container analysis API to get image metadata How we do this?
Security Team Signer Service deploy new docker image in echo-namespace with digest (sha256:abcd…) Cloud Build GCR docker image Container Analysis API BUILD (Occurrence) VULNERABILITY (Occurrence) ATTESTATION (Occurrence) microservice GCP Project GKE Cluster GCP Project Admission Controller kritis-namespace echo-namespace kritis validation webhook ImageSecurity Policy echo pod OK to deploy 1 2 6 5 4 8 7 3 QA Team Signer Service
32 How it works? 1. Cloudbuild build docker image and push it to GCR. It also create a build metadata with information such as which project was used to build image 2. GCR triggers spinnaker 3. Spinnaker apply kubernetes manifest file with new docker image tag. This goes to kubernetes admission controller 4. Admission controller call kritis validation webhook with new pod information 5. Kritis admission controller check `ImageSecurityPolicy` CRD from echo-namespace and get current policy
33 6. Kritis calls container analysis API and get metadata for that docker image 7. Depending on the policy, Kritis validate if image is allowed or not and inform admission controller 8. Depending on Kritis results, admission controller allow to create new pod or not How it works?...
34 Signer Service Signer Services run independently and sign images based on their job. For example, security signer service confirm all vulnerabilities or check what base image is being used and sign it based on their policy. Similarly, QA signer service can also be made which sign images once their job is done.
35 Why FORK? ● Official kritis is still at very early stage and does not have feature which we wanted such as: ○ Validate GCPProjectId where docker image is built ○ Custom attestation check ○ Clusterwide image whitelist https://github.com/mercari/kritis
36 Ending Using Grafeas and Kritis, we have introduced a new supply chain governance strategy in our eco-system. Our experience is good so far. We want to write more signer services and add grafeas in more supply chain stages and add full observability for our software supply chain
Thank You! https://grafeas.io/blog/introducing-grafeas https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md https://kubernetes.io/blog/2017/11/securing-software-supply-chain-grafeas/ https://github.com/mercari/kritis https://codelabs.developers.google.com/codelabs/cloud-binauthz-intro

Recommended

Microservices development at scale
Microservices development at scaleMicroservices development at scale
Microservices development at scale
Vishal Banthia
 
Kubernetes Controller for Pull Request Based Environment
Kubernetes Controller for Pull Request Based EnvironmentKubernetes Controller for Pull Request Based Environment
Kubernetes Controller for Pull Request Based Environment
Vishal Banthia
 
E bpf and profilers
E bpf and profilersE bpf and profilers
E bpf and profilers
LibbySchulze
 
JavaLand - Micrometer and SpringBoot
JavaLand - Micrometer and SpringBootJavaLand - Micrometer and SpringBoot
JavaLand - Micrometer and SpringBoot
Ko Turk
 
Ingress? That’s So 2020! Introducing the Kubernetes Gateway API
Ingress? That’s So 2020! Introducing the Kubernetes Gateway APIIngress? That’s So 2020! Introducing the Kubernetes Gateway API
Ingress? That’s So 2020! Introducing the Kubernetes Gateway API
VMware Tanzu
 
Enabling Cloud Native Buildpacks for Windows Containers
Enabling Cloud Native Buildpacks for Windows ContainersEnabling Cloud Native Buildpacks for Windows Containers
Enabling Cloud Native Buildpacks for Windows Containers
VMware Tanzu
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
VMware Tanzu
 
Spring Boot Loves K8s
Spring Boot Loves K8sSpring Boot Loves K8s
Spring Boot Loves K8s
VMware Tanzu
 

Recommended

Microservices development at scale
Microservices development at scaleMicroservices development at scale
Microservices development at scale
Vishal Banthia
 
Kubernetes Controller for Pull Request Based Environment
Kubernetes Controller for Pull Request Based EnvironmentKubernetes Controller for Pull Request Based Environment
Kubernetes Controller for Pull Request Based Environment
Vishal Banthia
 
E bpf and profilers
E bpf and profilersE bpf and profilers
E bpf and profilers
LibbySchulze
 
JavaLand - Micrometer and SpringBoot
JavaLand - Micrometer and SpringBootJavaLand - Micrometer and SpringBoot
JavaLand - Micrometer and SpringBoot
Ko Turk
 
Ingress? That’s So 2020! Introducing the Kubernetes Gateway API
Ingress? That’s So 2020! Introducing the Kubernetes Gateway APIIngress? That’s So 2020! Introducing the Kubernetes Gateway API
Ingress? That’s So 2020! Introducing the Kubernetes Gateway API
VMware Tanzu
 
Enabling Cloud Native Buildpacks for Windows Containers
Enabling Cloud Native Buildpacks for Windows ContainersEnabling Cloud Native Buildpacks for Windows Containers
Enabling Cloud Native Buildpacks for Windows Containers
VMware Tanzu
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
VMware Tanzu
 
Spring Boot Loves K8s
Spring Boot Loves K8sSpring Boot Loves K8s
Spring Boot Loves K8s
VMware Tanzu
 
Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s
QAware GmbH
 
Micronaut: A new way to build microservices
Micronaut: A new way to build microservicesMicronaut: A new way to build microservices
Micronaut: A new way to build microservices
Luram Archanjo
 
Crossing the Streams! Rollout Strategies to Keep Your Users Happy!
Crossing the Streams! Rollout Strategies to Keep Your Users Happy!Crossing the Streams! Rollout Strategies to Keep Your Users Happy!
Crossing the Streams! Rollout Strategies to Keep Your Users Happy!
VMware Tanzu
 
Spring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWSSpring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWS
VMware Tanzu
 
Connecting Spring Apps to Distributed SQL Clusters Running in Kubernetes
Connecting Spring Apps to Distributed SQL Clusters Running in KubernetesConnecting Spring Apps to Distributed SQL Clusters Running in Kubernetes
Connecting Spring Apps to Distributed SQL Clusters Running in Kubernetes
VMware Tanzu
 
You Want to Kubernetes? You MUST Know Containers!
You Want to Kubernetes? You MUST Know Containers!You Want to Kubernetes? You MUST Know Containers!
You Want to Kubernetes? You MUST Know Containers!
VMware Tanzu
 
Improving security with Istio | DevNation Tech Talk
Improving security with Istio | DevNation Tech TalkImproving security with Istio | DevNation Tech Talk
Improving security with Istio | DevNation Tech Talk
Red Hat Developers
 
Cloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud Services
VMware Tanzu
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOT
VMware Tanzu
 
Full Steam Ahead, R2DBC!
Full Steam Ahead, R2DBC!Full Steam Ahead, R2DBC!
Full Steam Ahead, R2DBC!
VMware Tanzu
 
Reactive Applications with Apache Pulsar and Spring Boot
Reactive Applications with Apache Pulsar and Spring BootReactive Applications with Apache Pulsar and Spring Boot
Reactive Applications with Apache Pulsar and Spring Boot
VMware Tanzu
 
Improving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware TakeoutImproving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware Takeout
VMware Tanzu
 
Cloud-Native Modernization or Death? A false dichotomy. | DevNation Tech Talk
Cloud-Native Modernization or Death? A false dichotomy. | DevNation Tech TalkCloud-Native Modernization or Death? A false dichotomy. | DevNation Tech Talk
Cloud-Native Modernization or Death? A false dichotomy. | DevNation Tech Talk
Red Hat Developers
 
Spring Cloud Function: Where We Were, Where We Are, and Where We’re Going
Spring Cloud Function: Where We Were, Where We Are, and Where We’re GoingSpring Cloud Function: Where We Were, Where We Are, and Where We’re Going
Spring Cloud Function: Where We Were, Where We Are, and Where We’re Going
VMware Tanzu
 
CICD Mule
CICD Mule CICD Mule
CICD Mule
Naveen kumar Kavartapu
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with Jenkins
Vietnam Open Infrastructure User Group
 
Going Serverless Using the Spring Framework Ecosystem
Going Serverless Using the Spring Framework EcosystemGoing Serverless Using the Spring Framework Ecosystem
Going Serverless Using the Spring Framework Ecosystem
VMware Tanzu
 
Introducing Spring Framework 5.3
Introducing Spring Framework 5.3Introducing Spring Framework 5.3
Introducing Spring Framework 5.3
VMware Tanzu
 
Introduction to Lagom Framework
Introduction to Lagom FrameworkIntroduction to Lagom Framework
Introduction to Lagom Framework
Knoldus Inc.
 
SRE principles and (Kubernetes) Operator practice | DevNation Tech Talk
SRE principles and (Kubernetes) Operator practice | DevNation Tech TalkSRE principles and (Kubernetes) Operator practice | DevNation Tech Talk
SRE principles and (Kubernetes) Operator practice | DevNation Tech Talk
Red Hat Developers
 
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
Oleg Shalygin
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
Weaveworks
 

More Related Content

What's hot

Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s
QAware GmbH
 
Cloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud Services
VMware Tanzu
 
Cloud-Native Modernization or Death? A false dichotomy. | DevNation Tech Talk
Cloud-Native Modernization or Death? A false dichotomy. | DevNation Tech TalkCloud-Native Modernization or Death? A false dichotomy. | DevNation Tech Talk
Cloud-Native Modernization or Death? A false dichotomy. | DevNation Tech Talk
Red Hat Developers
 

What's hot (20)

Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s Continuous (Non)-Functional Testing of Microservices on k8s
Continuous (Non)-Functional Testing of Microservices on k8s
 
Micronaut: A new way to build microservices
Micronaut: A new way to build microservicesMicronaut: A new way to build microservices
Micronaut: A new way to build microservices
 
Crossing the Streams! Rollout Strategies to Keep Your Users Happy!
Crossing the Streams! Rollout Strategies to Keep Your Users Happy!Crossing the Streams! Rollout Strategies to Keep Your Users Happy!
Crossing the Streams! Rollout Strategies to Keep Your Users Happy!
 
Spring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWSSpring Boot on Amazon Web Services with Spring Cloud AWS
Spring Boot on Amazon Web Services with Spring Cloud AWS
 
Connecting Spring Apps to Distributed SQL Clusters Running in Kubernetes
Connecting Spring Apps to Distributed SQL Clusters Running in KubernetesConnecting Spring Apps to Distributed SQL Clusters Running in Kubernetes
Connecting Spring Apps to Distributed SQL Clusters Running in Kubernetes
 
You Want to Kubernetes? You MUST Know Containers!
You Want to Kubernetes? You MUST Know Containers!You Want to Kubernetes? You MUST Know Containers!
You Want to Kubernetes? You MUST Know Containers!
 
Improving security with Istio | DevNation Tech Talk
Improving security with Istio | DevNation Tech TalkImproving security with Istio | DevNation Tech Talk
Improving security with Istio | DevNation Tech Talk
 
Cloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud Services
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOT
 
Full Steam Ahead, R2DBC!
Full Steam Ahead, R2DBC!Full Steam Ahead, R2DBC!
Full Steam Ahead, R2DBC!
 
Reactive Applications with Apache Pulsar and Spring Boot
Reactive Applications with Apache Pulsar and Spring BootReactive Applications with Apache Pulsar and Spring Boot
Reactive Applications with Apache Pulsar and Spring Boot
 
Improving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware TakeoutImproving Your Company’s Health with Middleware Takeout
Improving Your Company’s Health with Middleware Takeout
 
Cloud-Native Modernization or Death? A false dichotomy. | DevNation Tech Talk
Cloud-Native Modernization or Death? A false dichotomy. | DevNation Tech TalkCloud-Native Modernization or Death? A false dichotomy. | DevNation Tech Talk
Cloud-Native Modernization or Death? A false dichotomy. | DevNation Tech Talk
 
Spring Cloud Function: Where We Were, Where We Are, and Where We’re Going
Spring Cloud Function: Where We Were, Where We Are, and Where We’re GoingSpring Cloud Function: Where We Were, Where We Are, and Where We’re Going
Spring Cloud Function: Where We Were, Where We Are, and Where We’re Going
 
CICD Mule
CICD Mule CICD Mule
CICD Mule
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with Jenkins
 
Going Serverless Using the Spring Framework Ecosystem
Going Serverless Using the Spring Framework EcosystemGoing Serverless Using the Spring Framework Ecosystem
Going Serverless Using the Spring Framework Ecosystem
 
Introducing Spring Framework 5.3
Introducing Spring Framework 5.3Introducing Spring Framework 5.3
Introducing Spring Framework 5.3
 
Introduction to Lagom Framework
Introduction to Lagom FrameworkIntroduction to Lagom Framework
Introduction to Lagom Framework
 
SRE principles and (Kubernetes) Operator practice | DevNation Tech Talk
SRE principles and (Kubernetes) Operator practice | DevNation Tech TalkSRE principles and (Kubernetes) Operator practice | DevNation Tech Talk
SRE principles and (Kubernetes) Operator practice | DevNation Tech Talk
 

Similar to Securing microservices continuous delivery using grafeas and kritis

Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
Weaveworks
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Weaveworks
 
DX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in KubernetesDX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in Kubernetes
Weaveworks
 
Azure DevOps Pipeline setup for Mule APIs #36
Azure DevOps Pipeline setup for Mule APIs #36Azure DevOps Pipeline setup for Mule APIs #36
Azure DevOps Pipeline setup for Mule APIs #36
MysoreMuleSoftMeetup
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Weaveworks
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8s
QAware GmbH
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Weaveworks
 

Similar to Securing microservices continuous delivery using grafeas and kritis (20)

GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
GCP - Continuous Integration and Delivery into Kubernetes with GitHub, Travis...
 
Cloud Native Apps with GitOps
Cloud Native Apps with GitOps Cloud Native Apps with GitOps
Cloud Native Apps with GitOps
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOpsWebinar: End to End Security & Operations with Chainguard and Weave GitOps
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
 
Deploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOpsDeploy 22 microservices from scratch in 30 mins with GitOps
Deploy 22 microservices from scratch in 30 mins with GitOps
 
DX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in KubernetesDX, Guardrails, Golden Paths & Policy in Kubernetes
DX, Guardrails, Golden Paths & Policy in Kubernetes
 
GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...GitOps - Modern best practices for high velocity app dev using cloud native t...
GitOps - Modern best practices for high velocity app dev using cloud native t...
 
Azure DevOps Pipeline setup for Mule APIs #36
Azure DevOps Pipeline setup for Mule APIs #36Azure DevOps Pipeline setup for Mule APIs #36
Azure DevOps Pipeline setup for Mule APIs #36
 
CI/CD on Google Cloud Platform
CI/CD on Google Cloud PlatformCI/CD on Google Cloud Platform
CI/CD on Google Cloud Platform
 
SCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPSSCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPS
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for YouWebinar: Capabilities, Confidence and Community – What Flux GA Means for You
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
GitOps, Driving NGN Operations Teams 211127 #kcdgt 2021
 
Azure App configuration
Azure App configurationAzure App configuration
Azure App configuration
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8s
 
Build Smart Service on GCP - Google DevFest 2018 Taiwan
Build Smart Service on GCP - Google DevFest 2018 TaiwanBuild Smart Service on GCP - Google DevFest 2018 Taiwan
Build Smart Service on GCP - Google DevFest 2018 Taiwan
 
Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18Wellington MuleSoft Meetup 2021-02-18
Wellington MuleSoft Meetup 2021-02-18
 
ArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdfArgoCD Meetup PPT final.pdf
ArgoCD Meetup PPT final.pdf
 
AzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release ManagementAzureDay Kyiv 2016 Release Management
AzureDay Kyiv 2016 Release Management
 
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & WeaveworksSecure GitOps pipelines for Kubernetes with Snyk & Weaveworks
Secure GitOps pipelines for Kubernetes with Snyk & Weaveworks
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and LinkerdIntro to GitOps with Weave GitOps, Flagger and Linkerd
Intro to GitOps with Weave GitOps, Flagger and Linkerd
 

Recently uploaded

Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
jaanualu31
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
AldoGarca30
 

Recently uploaded (20)

PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptxOrlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
Orlando’s Arnold Palmer Hospital Layout Strategy-1.pptx
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Wadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptxWadi Rum luxhotel lodge Analysis case study.pptx
Wadi Rum luxhotel lodge Analysis case study.pptx
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Moment Distribution Method For Btech Civil
Moment Distribution Method For Btech CivilMoment Distribution Method For Btech Civil
Moment Distribution Method For Btech Civil
 
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
1_Introduction + EAM Vocabulary + how to navigate in EAM.pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 

Securing microservices continuous delivery using grafeas and kritis

  • 3. 3 ● What is a secure software supply chain? ● Grafeas approach ● How Microservices Platform is using Grafeas and Kritis to secure microservices Continuous Delivery? Agenda
  • 4. 4 In general, a secured software supply chain means that only authorized softwares are executed at each supply chain stage resulting in only authorized software getting deployed in production environment. Definition of “authorized” varies from organization to organization depending on security policies and their strictness. What is a Secure Software Supply Chain?
  • 5. 5 Some policy examples: ● Only vulnerability scanned and passed docker images are allowed ● Only QA verified software artifacts are allowed ● Only PM signed off software artifacts are allowed ● Only software artifacts which are passed during canary stage are allowed
  • 7. 7 In software supply chain stages, every stage consume some artifact and produce a new one. “By authorized at each stage”, it means that each stage is consuming a verified artifact based on organization policy. What does authorized at each stage means?
  • 8. 8 ● Only commits from authorized authors are allowed for build stage ● Only unit / integrations tests passed artifacts are allowed for QA or end to end testing ● Only unit / integrations tests passed artifacts are allowed for security scanning Some examples:
  • 9. 9 Traditionally, it is achieved by creating a process workflow or orchestration where each stage will run only when previous stage is passed. This can be done in various CI/CD tools or bots. One of the problem with this approach is that it is hard to govern whole supply chain from bird eye point of view. Metadata created by one stage are lost after next stage has consumed it How to achieve secure software supply chain?
  • 10. Code DeployBuild Test Compute Engine Kubernete s Engine App Engine AWS EC2 AWS EC2 Software Supply Chain tests will only trigger when build is passed deploy will only trigger when tests are passed
  • 11. Software Supply Chain Governance
  • 12. 12 Governance in software supply chain means that all the software artifacts deployed in production can be tracked. CTO/CIO has full visibility and can make policy changes. Software supply chain should be designed in such a way that new security policies can be added easily in whole organisation Security is something which should be forced from top-down IMO What does governance means in software supply chain?
  • 13.
  • 14.
  • 15. 15 CTO / CIO need to make this big decision ● Do not make any change and just hope that we are running good code 🤞 ● Make the change and let performance degrade by 40% Without data it is very difficult to make these kind of decisions. Software supply chain should be designed in a way that we can do these kind of analysis and make better action plans Untrusted Code? 🤔
  • 16. 16 Take Away ● Now we understand what is a secure software supply chain ● Why centralized governance is required in software supply chain
  • 17. 17 ● Growing and fragmented toolsets ● Microservices Architecture ● Open-Source software adoption What are the current problems?
  • 18. 18 Grafeas approach “An open artifact metadata API to audit and govern your software supply chain” Basically, instead of just using supply chain result metadata for next stage, store them in a metadata server so that, that information is not lost and can be used anytime in any stage.
  • 19.
  • 20. 20 Grafeas Components Metadata Server metadata server which store all the metadata information generated during various supply chain stages Policy enforcement tool tool which uses grafeas metadata using API and make decision based on configured policy. It is not exactly a grafeas component but without this supply chain will not be complete
  • 21. build stage uses grafeas API to check if commit is allowed to build or not deploy stage uses grafeas API to check if artifact is QA verified and have not vulnerability before deploying
  • 22. 22 Take away! ● Using grafeas, we can store metadata of all supply chain stages in one centralised database ● Using policy enforcement tool, each stage can verify if incoming artifact is authorized or not
  • 23. How microservices platform team is using Grafeas and Kritis to secure microservices Continuous Delivery?
  • 24. 24 Microservices Platform Architecture ● We use GCP ● Each microservice has its own dedicated GCP project and they are free to choose any service such as cloudsql, pub-sub etc ● We have a centralised GCP project which is managed by platform team and we run GKE there ● Each microservice has its own namespace and microservice owner only have access to their namespace ● We use Spinnaker for Continuous Delivery
  • 25. 25 GCP project for GKE Centralized cluster Namespace: Service A Namespace: Service B IAM: Platform Team IAM: Team A IAM: Team B Service A Service B RBAC: Team A RBAC: Team B
  • 26. PM will confirm if feature is ready to release and ask developers to create tag QA will notify PM regarding QA results QA get notified and will do QA if necessary in dev environment if image-tag has some version, it will trigger deploy image to production cluster if image-tag has master-* prefix, it will deploy image to development cluster spinnaker start deployment pipeline based on image tag docker image is pushed to GCR cloudbuild triggers if tests passes and docker image is built developers push code to github (branch, master, tag) Software Supply Chain for Microservice circleci is triggered and it runs unit tests
  • 27. PM will confirm if feature is ready to release and ask developers to create tag QA will notify PM regarding QA results QA get notified and will do QA if necessary in dev environment if image-tag has some version, it will trigger deploy image to production cluster if image-tag has master-* prefix, it will deploy image to development cluster spinnaker start deployment pipeline based on image tag docker image is pushed to GCR cloudbuild triggers if tests passes and docker image is built developers push code to github (branch, master, tag) Software Supply Chain for Microservice circleci is triggered and it runs unit tests
  • 28. For secure microservices Continuous Delivery, we want to make sure that only authorized docker images get deployed to our production cluster only authorized docker images
  • 29. 29 What is authorized docker image for us? ● Image is built by service owner ● Image has been verified by security team for vulnerabilities ● Image has been signed by QA ● Image has been signed by PM ● …
  • 30. 30 ● We use GCP Container Analysis API which is implementation of Grafeas ● We use Kritis fork which is basically Policy Enforcement Tool for Kubernetes ○ Kritis is basically a Kubernetes admission webhook which get triggered whenever a new pod is created. Based on policy written in `ImageSecurityPolicy` CRD kirtis make judgement of allowing or denying that pod. Kritis uses container analysis API to get image metadata How we do this?
  • 31. Security Team Signer Service deploy new docker image in echo-namespace with digest (sha256:abcd…) Cloud Build GCR docker image Container Analysis API BUILD (Occurrence) VULNERABILITY (Occurrence) ATTESTATION (Occurrence) microservice GCP Project GKE Cluster GCP Project Admission Controller kritis-namespace echo-namespace kritis validation webhook ImageSecurity Policy echo pod OK to deploy 1 2 6 5 4 8 7 3 QA Team Signer Service
  • 32. 32 How it works? 1. Cloudbuild build docker image and push it to GCR. It also create a build metadata with information such as which project was used to build image 2. GCR triggers spinnaker 3. Spinnaker apply kubernetes manifest file with new docker image tag. This goes to kubernetes admission controller 4. Admission controller call kritis validation webhook with new pod information 5. Kritis admission controller check `ImageSecurityPolicy` CRD from echo-namespace and get current policy
  • 33. 33 6. Kritis calls container analysis API and get metadata for that docker image 7. Depending on the policy, Kritis validate if image is allowed or not and inform admission controller 8. Depending on Kritis results, admission controller allow to create new pod or not How it works?...
  • 34. 34 Signer Service Signer Services run independently and sign images based on their job. For example, security signer service confirm all vulnerabilities or check what base image is being used and sign it based on their policy. Similarly, QA signer service can also be made which sign images once their job is done.
  • 35. 35 Why FORK? ● Official kritis is still at very early stage and does not have feature which we wanted such as: ○ Validate GCPProjectId where docker image is built ○ Custom attestation check ○ Clusterwide image whitelist https://github.com/mercari/kritis
  • 36. 36 Ending Using Grafeas and Kritis, we have introduced a new supply chain governance strategy in our eco-system. Our experience is good so far. We want to write more signer services and add grafeas in more supply chain stages and add full observability for our software supply chain