Overview
The article discusses how Shopify utilizes Grafeas and Kritis to manage container security and governance at scale. It highlights the importance of auditing container metadata and enforcing deployment policies to ensure secure software delivery.
What You'll Learn
1
How to use Grafeas for auditing container metadata
2
How to enforce deployment policies using Kritis in Kubernetes
3
Why digital signing of attestations is crucial for container security
Prerequisites & Requirements
- Understanding of containerization and Kubernetes
- Familiarity with Grafeas and Kritis(optional)
Key Questions Answered
How does Grafeas help in managing container metadata?
Grafeas provides a uniform way to store critical software component metadata during build and integration pipelines. This allows Shopify to answer key questions about container deployments, such as their origin, installed packages, and any security vulnerabilities.
What is the role of Kritis in container deployment?
Kritis enables the enforcement of real-time deployment policies based on the metadata stored in Grafeas. It uses digitally signed attestations to ensure that only containers meeting specified security controls are deployed in Kubernetes environments.
What types of attestations can be enforced with Kritis?
Attestations can include conditions such as whether a container was built by a trusted entity, whether it comes from a trusted repository, and whether it passes CI tests. This ensures that only secure and compliant containers are deployed.
What security controls can be implemented using Grafeas and Kritis?
Using Grafeas and Kritis, Shopify can enforce security controls such as ensuring containers do not run as root, have passed CI tests, and are free from known vulnerabilities. This governance approach enhances the security of the software supply chain.
Key Statistics & Figures
Daily container builds
6,000
Shopify performs over 6,000 container builds each day, necessitating robust auditing and governance strategies.
Total images in container registry
330,000
Shopify maintains 330,000 images in its primary container registry, highlighting the scale at which these governance tools are applied.
Technologies & Tools
Some links below are affiliate links. We may earn a commission if you make a purchase.
Backend
Grafeas
Used for storing and managing container metadata.
Backend
Kritis
Enforces deployment policies based on metadata from Grafeas.
Security
Pgp
Used for digitally signing attestations to ensure the integrity of containers.
Orchestration
Kubernetes
Platform where Kritis enforces deployment policies.
Tools
Kubeaudit
Used to generate attestations for Kubernetes workload manifests.
Key Actionable Insights
1Implement Grafeas to centralize container metadata management.By using Grafeas, teams can streamline their auditing processes and gain insights into container security, which is essential for maintaining compliance and security in large-scale environments.
2Utilize Kritis to enforce security policies during deployment.Kritis allows for real-time enforcement of deployment policies, ensuring that only containers that meet security standards are deployed, thus reducing the risk of vulnerabilities in production.
3Digitally sign attestations to verify container integrity.Using PGP for signing attestations ensures that the identity of the builder is verified, which is crucial for maintaining trust in the software supply chain.
Common Pitfalls
1
Neglecting to audit container metadata can lead to security vulnerabilities.
Without proper auditing, teams may deploy containers that contain unaddressed vulnerabilities, which can compromise the entire application and lead to security breaches.
2
Failing to enforce deployment policies can result in non-compliant containers being deployed.
If deployment policies are not enforced, there's a risk of deploying containers that do not meet security standards, potentially exposing the system to threats.
Related Concepts
Container Security Best Practices
Auditing In Software Supply Chains
Real-time Policy Enforcement In Kubernetes