README
¶
Kritis
Kritis (“judge” in Greek), is an open-source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API, and in a subsequent release, Grafeas.
Here is an example Kritis policy, to prevent the deployment of Pod with a critical vulnerability unless it has been allowlisted:
imageAllowlist:
- gcr.io/my-project/allowlist-image@sha256:<DIGEST>
packageVulnerabilityPolicy:
maximumSeverity: HIGH
allowlistCVEs:
- providers/goog-vulnz/notes/CVE-2017-1000082
- providers/goog-vulnz/notes/CVE-2017-1000081
In addition to the enforcement this project also contains signers that can be used to create Grafeas Attestation Occurrences to be used in other enforcement systems like Binary Authorization. For details see Kritis Signer.
Getting Started
- Watch the talk on Software Supply Chain Management with Grafeas and Kritis
- Learn the concepts in the Kritis whitepaper
- Get Kritis running with the Installation guide
- Try the Tutorial to learn how to block vulnerabilities
- Read the Resource Reference to configure and interact with Kritis resources
- Resolve image tags to hashes using the resolve-tags plug-in
Support
If you have questions, reach out to us on kritis-users. For questions about contributing, please see the section below.
Contributing
See CONTRIBUTING for details on how you can contribute.
See DEVELOPMENT for details on the development and testing workflow.
License
Kritis is under the Apache 2.0 license. See the LICENSE file for details.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
docs
|
|
|
helm-hooks
|
|
|
pkg
|
|
|
kritis/apis/kritis/v1beta1
Package v1beta1 is the v1beta1 version of the API.
|
Package v1beta1 is the v1beta1 version of the API. |
|
kritis/attestation
Package attestation defines methods to attest a message using Pgp Private and Public Key pair.
|
Package attestation defines methods to attest a message using Pgp Private and Public Key pair. |
|
kritis/client/clientset/versioned
This package has the automatically generated clientset.
|
This package has the automatically generated clientset. |
|
kritis/client/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
kritis/client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
kritis/client/clientset/versioned/typed/kritis/v1beta1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
kritis/client/clientset/versioned/typed/kritis/v1beta1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |