grafeas / kritis Goto Github PK
View Code? Open in Web Editor NEWDeploy-time Policy Enforcer for Kubernetes applications
Home Page: https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
License: Apache License 2.0
Deploy-time Policy Enforcer for Kubernetes applications
Home Page: https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
License: Apache License 2.0
Add an Admission Controller admits all pods
Add tests.
currently there are various kritis images used and deployed and it can be very difficult to identify which version/commit of kritis is running.
Right now the check for fully qualified images happens during ISP validation, but if there are no ISPs deployed then any image (even one that isn't fully qualified) can get through.
We can at least check for fully qualified images without an ISP while kritis is running.
There might be a case where users want to replace/regenerate the keys used for attesting valid pods. This might happen when a key is compromised or lost.
In such scenarios, we need to make sure, previously attested pods can still be verified by admission controller.
A kubectl plugin attest can fetch all the images which have attestation where in key id is secret name and re-attest them with the new secret key. It will delete any attestations for the same AttestationAuthority with older secret name in pgpKeyId.
kubectl plugin attest <AttestionAuthority Crd Name>
Need to design and implement integration testing for Kritis.
Deploying all objects i.e. CRDs, admission controller via helm.
We should namespace all the labels and annotations with something like:
kritis.grafeas.io/
kritis pods log:
W0718 20:50:59.292609 1 client_config.go:552] Neither --kubeconfig nor --master was s
pecified. Using the inClusterConfig. This might not work.
everytime it is called. might be worth defining a --kubeconfig value to silence the error
Right now the cron job does not run off when we start the kritis-server.
Add it to main and kick it off.
ValidatingWebhookConfiguration
if kritis is down or failingsupport prometheus varz, etc. endpoints in kritis to allow prometheus metric collection
Document the full schemas for the CRD types
Write Integration tests for Container Analysis Api
in #46 i forgot to add the config to deploy the ValidatingWebhook.
This Admission Webhook will
For type:pod that is deployed, kritis gives an error message at create time that an image is blocked and the explanation. for deployments, the pods are never created but the deployment succeeds, it might make sense to see if we can reject the deployment directly or do some better messaging here
this issue relates to adding isp integration test cases to kritis. currently it isn't clear how ISPs should work w/ kritis (one single isp vs multiple) and how repeated images, differing CVE tolerance levels, etc. should work. We can discuss here what test cases make sense and how kritis should act for each case.
Create a directory and add set up helm as defined in the tutorial.
Right now we are using container analysis alpha libs.
Please switch them to beta once they are available.
Add here.
Right now, we only log violated pods.
https://github.com/dlorenc/kritis/blob/5750fc4d74d1c6dd51d15f57002ad9a9b1bc26b0/pkg/kritis/violation/strategy.go#L31
We need to interact with Drydock to fetch notes and occurrences.
Currently, Kritis is having issues for the following integration test cases:
I believe this stems from two functionality issues:
This is a Tracking issue for creating kritis release.
DRAFT already started by @tejal29
https://github.com/grafeas/kritis/releases/edit/untagged-25bedf8d6894d660f7d7
Create test Project.
Test project kritis-int-test created.
Create test cluster
Create a service account and add the keys to kokoro
Field | Value | Outcome/ Reason |
---|---|---|
maximumSeverityDefault: CRITICAL | LOW | *Only allow containers with Low Vulnz |
MEDIUM | *Allow Containers with Low and Medium Vulnz | |
HIGH | *Allow Containers with Low, Medium & High Vulnz | |
CRITICAL | Allow Containers with all Vulnz | |
BLOCKALL | *Block any Vulnz except listed in whitelist. | |
onlyFixesNotAvailableDefault: Yes | Yes | *Only all containers with vulnz not fixed |
No | *All containers with vulnz fixed or not fixed. |
Note: * Except listed in whitelistCVEs field.
Return true or false and the Reason.
Add tests for the same.
I looked at the certificate generated using the helm certgen
plugin.
The
kubectl get csr tls-webhook-secret-cert -o jsonpath='{.status.certificate}' | base64 --decode > server.crt
openssl x509 -in server.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
38:33:1c:be:10:15:81:cc:85:aa:cd:a8:57:ad:63:04
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = 99461cd8-7b97-4511-9568-fa54f53bfb5f
Validity
Not Before: Jul 13 22:40:01 2018 GMT
Not After : Jul 12 22:40:01 2023 GMT
Subject: C = US, ST = Washington, L = Seattle, O = Suse, OU = CaaSP, CN = tls-webhook-secret-cert
Subject Public Key Info:
....
The certificate org, state and OU are the defaults defined in the plugin and not what we have here
https://github.com/grafeas/kritis/blob/master/kritis-charts/certs.yaml#L8
Debug this by running certgen command locally and see submit a cl upstream if required.
verify that if image has not been scanned or is not hosted on GCR, kritis has sane message to user
A list of stuff to add to get the webhook to work:
log: exiting because of error: log: cannot create log
caused by glog, should be fixed by adding flag.Set("logtostderr", "true")
in main.go
Update the README.md to include:
When deploying a kritis in test cluster, the server was denied admission as the kritis-server container image was not whitelisted.
( I had a whitelist Image Spec Policy CRD deployed)
We should whitelist kritis-sever image either
Fix Background job invalid labels.
time="2018-07-19T20:42:08Z" level=error msg="handling violations: Pod \"kritis-validation-hook-54b9f7d9f7-cc5cz\" is invalid: metadata.labels: Invalid value: \"Image not resolved to digest.\": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue', or 'my_value', or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')"
{
"critical": {
"identity": {
"docker-reference": "gcr.io/tejaldesai-personal/image-whitelist-server"
},
"image": {
"docker-manifest-digest": "2a9906e7e50e7eca27c6ac6d1d32ae16ea4da813c593d21fc20d1cc534182f4d"
},
"type": "atomic container signature"
},
Create an AttestationOccurence using the lib (#3)
Write a function to verify Attestations.
Rules:
We need to annotate pods running out of image security policy.
Implement this lib.
Note: Check with skaffold team on details.
currently the container analysis api can be enabled but if the image passed has not been process or vulnerability scanning has not been opted in, on deployment kritis returns
Error from server (InternalError): error when creating "integration/testdata/nginx/nginx-
no-digest.yaml": Internal error occurred: failed calling admission webhook "kritis-valida
tion-hook.grafeas.io": the server rejected our request for an unknown reason
Add CRD for image security Policy with validation and write tests for them.
Found this bug in the resolve-tags plugin trying to resolve the generic kaniko template
Given this file:
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args: ["--dockerfile=<path to Dockerfile>",
"--bucket=<GCS bucket>",
"--destination=<gcr.io/$PROJECT/$IMAGE:$TAG>"]
volumeMounts:
- name: kaniko-secret
mountPath: /secret
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /secret/kaniko-secret.json
restartPolicy: Never
volumes:
- name: kaniko-secret
secret:
secretName: kaniko-secret
The plugin printed:
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor@sha256:501056bf52f3a96f151ccbeb028715330d5d5aa6647e7572ce6c6c55f91ab374
args:
- null
- null
- null
volumeMounts:
- name: kaniko-secret
mountPath: /secret
env:
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /secret/kaniko-secret.json
restartPolicy: Never
volumes:
- name: kaniko-secret
secret:
secretName: kaniko-secret
Parent Issue: #14
This is background go process which will use its own clock to sleep for an hour and check pods after every hour.
for kritis to operate on an image, the container-analysis api must be enabled, you must opt into vulnerability scanning on images, and the image you are deploying must have been scanned for kritis to properly process it
Change the field onlyFixesAvailable
to onlyFixesNotAvailable
in
https://github.com/grafeas/kritis/blob/af681d091bd423b3c684b309894e898bac8deac9/artifacts/examples/image-security-policy-example.yaml
The Spec mentions the same
We can create another issue to track calling kubectl commands after.
currently when attempting to deploy a deployment like:
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 2 # tells deployment to run 2 pods matching the template
template: # create pods using pod definition in this template
metadata:
# unlike pod-nginx.yaml, the name is not included in the meta data as a unique name is
# generated from the deployment name
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
kritis panics with
2018/07/18 19:42:31 Getting vulnz for nginx:1.7.9
2018/07/18 19:42:31 http2: panic serving 10.44.2.1:42594: runtime error: index out of range
goroutine 702 [running]:
net/http.(*http2serverConn).runHandler.func1(0xc42000d248, 0xc420117faf, 0xc420124e00)
/usr/lib/google-golang/src/net/http/h2_bundle.go:5753 +0x190
panic(0x1093a60, 0x1a681c0)
/usr/lib/google-golang/src/runtime/panic.go:502 +0x229
github.com/grafeas/kritis/pkg/kritis/metadata/containeranalysis.ContainerAnalysis.GetVulner
abilities(0xc420a5fd40, 0x1315400, 0xc420042028, 0xc4204281a0, 0xb, 0x1, 0x0, 0xb, 0xc42068
f640, 0xc42048f210)
/usr/local/google/home/aprindle/kritis-go/src/github.com/grafeas/kritis/pkg/kritis/
metadata/containeranalysis/containeranalysis.go:59 +0x707
tracking issue for kritis friction log notes, feel free to add anything
When we install kritis, we need to generate tls secrets.
We also need to do the same when user wants to deploy a new Attestation Authority.
One example of doing this:
Write a controller which will generate a pair of secrets.
https://github.com/mittwald/kubernetes-secret-generator
Ask users to generate the secrets and then they would need to copy paste the secret.
This a tracking ticket for that.
currently the cloudbuild.yaml builds are failing and not creating the artifacts for each merge, i believe this is do the the docker image not having all the build deps required for kritis
The AttestationAuthority CRD will look like:
Definition
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: attestation-authority
spec:
group: kritis.github.com
version: v1beta1
scope: Namespaced
names:
plural: attestationauthorities
singular: attestationauthority
kind: AttestationAuthority
Fields.
apiVersion: kritis.github.com/v1beta1
kind: AttestationAuthority
metadata:
name: qa-attestator
namespace: qa
spec:
noteReference: v1alpha1/projects/image-signing
privateKeySecretName: foo
publicKeyData: dsfdasfdkla
The Controller will if kubernetes secret "foo" exists in namespace "qa".
TODO: What Controller can do if secret does not exist?.
Right now, when we install the Webhook without any image policies we see this error.
kubectl create -f exanple.yaml
Error:
msg="fetching image security policies: error listing all image policy requirements: the server could not find the requested resource (get imagesecuritypolicies.kritis.grafeas.io)"
This error disappears when we deploy a image policy spec.
Lets not return false but just return true and log message "No Image policy CRD defined" or ship one by default
Formally document the steps required for a kritis user to update kritis on a cluster without breaking their image authorization.
The documentation can be in format of a code lab. Ping @tejal29 for link.
Add an empty directory structure and description.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.