https://github.com/grafeas/kritis

Deploy-time Policy Enforcer for Kubernetes applications
https://github.com/grafeas/kritis

Last synced: 3 days ago
JSON representation

Deploy-time Policy Enforcer for Kubernetes applications

• Host: GitHub
• URL: https://github.com/grafeas/kritis
• Owner: grafeas
• License: apache-2.0
• Created: 2018-06-11T18:19:43.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2024-04-19T10:04:24.000Z (8 months ago)
• Last Synced: 2024-11-19T07:22:52.148Z (23 days ago)
• Language: Go
• Homepage: https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
• Size: 34.7 MB
• Stars: 699
• Watchers: 24
• Forks: 135
• Open Issues: 83
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Security: SECURITY.md

Awesome Lists containing this project

• DevSecOps - https://github.com/grafeas/kritis - the-badge)| (Supply chain specific tools)
• awesome-software-supply-chain-security - Kritis -  - An open-source solution for securing your software supply chain for Kubernetes applications, it enforces deploy-time security policies using the Grafeas API. (Kubernetes Admission Controller)

README

        
# Kritis

[![GoDoc Widget]][GoDoc]

[![BuildStatus Widget]][BuildStatus Result]

[![GoReport Widget]][GoReport Status]

[GoDoc]: https://godoc.org/github.com/grafeas/kritis

[GoDoc Widget]: https://godoc.org/github.com/grafeas/kritis?status.svg

[BuildStatus Widget]: https://app.travis-ci.com/github/grafeas/kritis

[GoReport Status]: https://goreportcard.com/report/github.com/grafeas/kritis

[GoReport Widget]: https://goreportcard.com/badge/github.com/grafeas/kritis

![Kritis logo](logo/logo-128.png)

Kritis (“judge” in Greek), is an open-source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the [Google Cloud Container Analysis API](https://cloud.google.com/container-analysis/api/reference/rest/), and in a subsequent release, [Grafeas](https://github.com/grafeas/grafeas).

Here is an example Kritis policy, to prevent the deployment of Pod with a critical vulnerability unless it has been allowlisted:

```yaml

imageAllowlist:

- gcr.io/my-project/allowlist-image@sha256:

packageVulnerabilityPolicy:

  maximumSeverity: HIGH

  allowlistCVEs:

    - providers/goog-vulnz/notes/CVE-2017-1000082

    - providers/goog-vulnz/notes/CVE-2017-1000081

```

In addition to the enforcement this project also contains *signers* that can be

used to create [Grafeas](https://github.com/grafeas/grafeas) Attestation

Occurrences to be used in other enforcement systems like [Binary

Authorization](https://cloud.google.com/binary-authorization/).  (TODO#571: add doc and fix link)

For details see upcoming doc [Kritis Signer](docs/signer.md).

## Getting Started

* Watch the talk on [Software Supply Chain Management with Grafeas and Kritis](https://www.infoq.com/presentations/supply-grafeas-kritis/).

* Learn the concepts in the [Kritis Whitepaper](docs/binary-authorization.md).

* Try out Kritis with standalone Grafeas by following [Standalone Mode Tutorial](docs/standalone/README.md)

* Try the [Tutorial](docs/tutorial.md) to learn how to block vulnerabilities using [GCP Container Analysis](https://cloud.google.com/container-registry/docs/get-image-vulnerabilities).

* Read the [Resource Reference](docs/resources.md) to configure and interact with Kritis resources.

## Support

If you have questions, reach out to us on

[kritis-users](https://groups.google.com/forum/#!forum/kritis-users). For

questions about contributing, please see the [section](#contributing) below.

## Contributing

See [CONTRIBUTING](CONTRIBUTING.md) for details on how you can contribute.

See [DEVELOPMENT](DEVELOPMENT.md) for details on the  development and testing workflow.

## License

Kritis is under the Apache 2.0 license. See the [LICENSE](LICENSE) file for details.