Overview of Kritis
Kritis, which translates to “judge” in Greek, is an open-source solution designed to enhance the security of software supply chains, particularly for Kubernetes applications. Developed in conjunction with the Grafeas project, Kritis serves as a deploy-time policy enforcer, ensuring that only compliant and secure container images are deployed in Kubernetes clusters.
Key Features and Functionality
Policy Enforcement
Kritis enforces deploy-time security policies, preventing the deployment of container images that do not meet specified criteria. This includes checking for vulnerabilities, build provenance, and test status, among other factors. Policies can be defined to allowlist specific images or to block images with critical vulnerabilities unless they are explicitly allowed.
Integration with Grafeas
Kritis leverages the Grafeas API to retrieve and store metadata about container images. Grafeas acts as a centralized metadata knowledge base, storing information such as vulnerability occurrences, build details, and attestations. This integration allows Kritis to make informed decisions about whether to admit or reject container images based on the stored metadata.
Custom Resource Definitions and Admission Webhooks
Kritis utilizes custom resource definitions (CRDs) to store enforcement policies as Kubernetes objects. This allows for seamless integration with Kubernetes clusters. Additionally, Kritis employs validating admission webhooks, which are HTTP callbacks that receive admission requests and decide whether to accept or reject them based on the defined policies.
Attestation and Signers
Kritis includes signers that can create Grafeas Attestation Occurrences. These attestations are used to verify the properties of container images, such as their build and test status, and ensure that only images that meet the specified criteria are deployed. This feature is particularly useful for enforcing policies like ensuring that only images signed by a trusted builder are deployed.
Pluggable and Hybrid Cloud-Friendly
Kritis is designed to be highly flexible and compatible with various environments. It can be used on-premises or in hybrid cloud setups, making it suitable for a wide range of deployment scenarios. The system is also pluggable, allowing users to add new metadata producers and consumers, such as different security scanners or build systems.
Real-Time Enforcement and Monitoring
Kritis performs real-time enforcement of container properties at deploy time, ensuring that security policies are adhered to continuously. This real-time capability is crucial for maintaining the security and integrity of the software supply chain.
In summary, Kritis is a robust and flexible tool for securing Kubernetes applications by enforcing strict deploy-time policies, leveraging centralized metadata from Grafeas, and integrating seamlessly with Kubernetes clusters. Its features make it an essential component for organizations aiming to enhance the security and compliance of their software supply chains.