Kritis Overview
Kritis, which means “judge” in Greek, is a Kubernetes policy engine designed to enhance the security and governance of software supply chains, particularly within Kubernetes clusters. Developed in conjunction with the Grafeas project, Kritis leverages the centralized metadata repository provided by Grafeas to enforce secure software supply chain policies.
Key Functionality
Policy Enforcement
Kritis enables real-time enforcement of container properties at deploy time. It uses attestations of container image properties, such as build provenance and test status, which are stored in the Grafeas metadata API. This ensures that only trusted and compliant container images are deployed within the Kubernetes cluster.
Integration with Grafeas
Kritis interacts closely with Grafeas, using its metadata API to retrieve information about vulnerabilities, build details, and other relevant metadata associated with container images. This integration allows Kritis to make informed decisions about whether to admit or reject container images based on predefined policies.
Custom Resource Definitions
Kritis utilizes custom resource definitions (CRDs) that are extensions of the Kubernetes open-source API. These CRDs store enforcement policies as Kubernetes objects, enabling seamless integration and management within the Kubernetes ecosystem.
Validating Admission Webhook
Kritis employs validating admission webhooks, which are HTTP callbacks that receive admission requests and decide whether to accept or reject them based on the defined policies. This mechanism ensures that policy enforcement is automated and consistent across the Kubernetes cluster.
Attestation Management
Kritis includes an attestor that specifies attestation authorities. It writes and retrieves attestations through the Grafeas API, ensuring that images that have been previously admitted can continue to be scaled up or deployed even if new vulnerabilities are discovered, as long as the attestation confirms their compliance.
Key Features
- Real-Time Enforcement: Kritis enforces policies in real-time during the deployment of container images, ensuring that only compliant images are admitted to the Kubernetes cluster.
- Centralized Policy Management: Policies are stored as Kubernetes objects using custom resource definitions, making it easier to manage and update policies across the cluster.
- Automated Compliance: The use of validating admission webhooks automates the compliance checking process, reducing the risk of human error and ensuring consistent policy enforcement.
- Integration with CI/CD Pipelines: Kritis can be integrated into CI/CD pipelines to ensure that build, test, and deployment processes adhere to defined security and compliance policies.
- Fine-Grained Access Control: Kritis benefits from Grafeas’s strong access controls, allowing for careful management of metadata access for multiple producers and consumers.
In summary, Kritis is a powerful tool for enforcing secure software supply chain policies within Kubernetes environments, leveraging the metadata capabilities of Grafeas to ensure compliance and security at every stage of the deployment process.