Securing the Software Supply Chain (Cloud Next '18)

Securing the Software Supply Chain (Cloud Next '18)

Show Video

Hello. Everybody, welcome. To our session. Today. I'm. Sandra from Google. Security and this, is Jonathan, the. Security. Architect, from Shopify, together. Will be tell you telling, you guys about the. New container, security, products we just announced today binarization. And how, you can use it to secure your, software selection, so. I'll be going over a overview, for, the product and how you can use, it in your production, environment and, Jonathan, here will, give. You a live demo after, my presentation then. We'll take questions in. The end. All. Right um let's, get started so. What. Is one of the top. Questions that DevOps, and security, stakeholders, and interpreters, have on their mind. What. Is running. Enterprise. Is run thousands, of services, in their production clusters, across, multiple. Environments. And, often. Times it is very difficult to keep track exactly, what, it's running I let, alone how to apply centralized. Consistent. Control over. This software, um. Data. Leaks security. Incidents, data, breaches are on the rise and many of those are caused, by, bad, code running. In chat in trusted environment having, access, to super. Sensitive data. So. Code is the weak link in, many, many, enterprises. Security. Story. I've. Seen, a lot of users that invest, a lot of energy and effort comfort. For configuring, the, perfect, access, control policies, to make sure only trusted. Account can. Access sensitive, data as well. As pushing production. Code. This. Is good. But not enough because as organizations. Grow as, member, of applications. Grow as a number of employees, grow, it becomes increasingly, difficult to, keep, track of what, kind, deploy in, the production environment what. I mean by that so, take an example um this, user has a, bucket, of customer. Critical, information in production super sensitive and he. Has configured. His access control policy to make sure only his production, applications, and a, couple trusted, admins, having, access to this bucket. Of critical information. But. Because, of the application is VM based it is very difficult to build new, versions, and push, new releases of this application so, it ended up running for a long time and was, running different, roles from different part of the production offer, from the our. Organization. Needs, to do. Things to running application. For. Example security, engineers in common and patch. Apply. Updates. When. Things becomes outdated. Admins. May have to come and restore the software when, it gets stuck, software. Engineers may, have to come and manually make adjustments, because, a new requirement or get published citizens, change before. You know it you have a number of people and a number of paths that, can apply changes to production, software. Was. This fairly. Broad attack, surface, um a. Attacker. Or rogue employee could, come by and slip in a piece of bad code to, want the changes to, the production software, now wallah you have a security incident. So. You may think that well, that is legacy. Software for you I plan. To update all my production. Infrastructure. To use containers, I am, good right. Let's. Take a look so. This. User has a container, running in production it. Is true that containers, refine the software supply chain you don't have a number of people apply changes to the software directly anymore. Instead. Developers. Have to, reviewed. And repose. A container. In, order to apply any changes to it because containers, are immutable, so, now organizations. Have a centralized. To, point where, all changes, to production deployments. Are applied. And a. Lot of them take advantage of that - view. - baking streamlined. Security. Controls, and tests to make sure that all the production, changes. Are up. To snuff things. Like making, sure it's beautiful, trusted sources making. Sure it passes all unit tests making, sure it clears vulnerability. Scan making, sure and analysis. Static, analysis, don't find any fault with a code and it, has been manually okayed, by a quality, control engineer, it, is all good but. It still does not fundamentally change, how, deployments. Are controlled, it is, still account, based deployment. Control which, means that if, you have a employee or attacker. Who stole the credential, of an employee have, access, to push code in production, Vic. Would still just, bypass, all thoughts streamlines. The ICD controls, and push. A trusted. Piece of code in production directly. Now. That. Is where binary, authorization. Comes in play, miner. Association, makes sure that only properly. Signed containers. Are deployed, to, the kubernetes, engine, it. Gives you a tool to. Define, policies, around what, can be deployed in, addition to who can deploy. Addressing. The weakness in. Account. Based deployed, control. Mechanism. So. Let's take a look how it works. Users. Have a piece of code that. He. Has a CCD, pipe and set up around. The code through a set, of required. Tests and controls before pushing to, production.

Minor. Authorization. Integrates. With, the, CIC, BPI plan by, having them producing. A signature, as the. Image passes, through the, individual. Stages in the pipeline so a butor would sign, a container that says I'm the trusted. Pewter I am, the one who builds a container, tests. Will sign a container that says this, container passed, my test pipeline. Vulnerability. Signed the container. It doesn't find any, known. Existing, vulnerabilities on, it, analysis. You. Know a QA, engineers, put, their respective. Signatures. On this, piece of image so. By the time and, the, image comes to be deployed, to production by. Neural authorization, is integrated. Into the gke deploy, api that, will, look at, the. Signatures, are there produced by the different, stages in CIT PI plan compare. That against. Customer, defined policies, on what. Can, deploy in production, and then make a diploid stage of deploy, decision. So. Now if you have an employee with. Access, to push code to production comes. Along to push them untrusted code it, would fail because, the, image would not have the required signatures, on, it, now. You have, code, based. Deployment. Controls, so. At a high level this, is how. It works and we've. Worked, with design. Partners such, as Shopify. To. Make sure that it can properly integrate. Into your existing production. Setup we, have a number of features that I'm going to go through with you today to, see how. You. May, have. To see how it works, with your, existing infrastructure. So. First of all you. Probably already have if you use container you probably already have a csv pipeline set up you, want to make sure that. Your. Process. Can, be reused, across a, large, number of, production. Deployment, you don't want a separate. Repository, a separate, pipeline for each environment or application, that you build binarization. Accommodates. That by. Defined. Policies, at the wrong time environment. Level what, do I mean by that I say. You have two clusters rgk, a prod, and a dev for. The production environment you want to make sure that. A image, has, to be signed off by also. Required, CI CD stages, before, it can run, because it has access to live customer, data, but. For dev environment you. Want to maintain developer. Velocity. So as long, as image. Has, being beautifully. Has, passed the unit test it's good to go, there. Are difference, in deployed, time policy, for this environment but, we can still use the same CI CD setup, for. A production. Deployment. You have to go. Through the entire csv, pipeline clear all stages before it can be deployed but. For the dev. Environment you. Have the options, of. Build. It test, it take it out of the pipeline um. You. Know deploy it staying there or if. After, running in production eating, them environment, for a while you like this container is good I'm gonna promote it to production you know have to duplicate, any of your CD. Setup, you, can just push it through. The remaining required, tests and now. It has all the, required, signatures the. Same image, that was deployed to dev can, all be deployed to production so you can. Maintain a centralized. Shared. CI, CD process, across, offering, environment, which is easier. To manage. I'm. More secure. Final. Authorization integrates. With the. Centralized. Metadata, store are hosted. By Google, container, registry. It's called container analysis, API we've, also announced this product. Today um, container. Analysis API is designed, to. Be the one-stop shop, for all, metadata. Associated, with a container so that, a centralized. Stakeholder, can, you. Think has questions, about a particular container. That is being. Deployed or that it's running he can go in and check. To see you, know what are all the information what. Are all the things I know about the content so, as a container goes through. Its. Beauties. For example the buter would generate a beaut record, indicating.

What, Are the source that was used for this container what. Are the packages. That was included, when was, it butyl, beauty, container. A guru test the, tester, can. Write a standardized, metadata. About the test result, go through scanner. Standardized. Metadata, around vulnerability. Findings, for the for. The for the image so. By the times image comes to, deploy. Controls. Such as binary authorization, can take a look at all the metadata that are produced in the container analysis API and apply, policies, apply controls, to determine what can deploy in production. So. Content so binary, authorizations. Signature, format is just one of the metadata that, container, analysis API supports, um. The. Google. Engineers has, also published a open source standard, for. Called. Gracias. For this container metadata analysis, API, it. Uses the same at a data format and uses. The same API format, so. That you can collect and produce and collects this information, for. Your, on-prem, environment. Binarization. Also. Published a kritis. Open source project, which is a. Open. Source implementation. Of deploy, time enforcement, with kubernetes very similar to binary or Association, which. Combined, was gracias, you, have the building blocks to implement, a similar, enforcement. Flow for, your on-prem development. Deployment, similar. To, what we have here for communities engine. Um. If. You use. Google, GCP. Tools such, as Google, container. Beuter and. Registry. Google container registry vulnerability. Scanner there. Are a set of metadata, that's already produced for you so. If you your. Code is viewed by google container build it will already produce, a beaut, verifiable. Beauty record for you for. Every container that it views and today that is happening is stored in the container analysis idea similarly. When you push a image into, Google. Container registry it gets scanned by the wall scanner which is also announced, today, and. Will publish a vulnerability findings. Now. While the most common use cases that we hear from customers is, I want, to be able to gate deployment. Based, on Bude and vulnerability. Information. The. Tricky thing with that is every. Organization, has a different definition of, what is acceptable and interviewed. And in availability findings. That. Is why we give you a tool, a open-source, signer that. You can use to, define what. Your organization's. Requirements are. For, build and to, sign a butte and an, ability, record. So. The way it works is. The. User would take the signer apply. To your own custom. Configuration, that says they say things like. In. A butte record a will, only sign, a container, for. To. Be okay to deploy, if, the source come from these following three repositories, or I would, only sign a container, to, be. Vulnerability. State. Ready if, it does not contain critical, vulnerability, findings. And. When. That happens, the, signer issues, the attestation using, a customer, provided, key by. The time the container reaches, production, minor. Association, will look up that attestation because. The, user would would would put that in the policy to say I would require attestation. And. Enforce to, make sure only. Images. With proper, Bude and vulnerability. Finding records. Can, deploy, to the production environment. Um. We. Also understand. So so far we talked we told, you about how, only, signed. Properly signed image images, that a beauty house can be deployed to your, environment but, we also recognize that, not. All images, people. Wrong on their production environment, are Beauty, houses our popular third-party. Images. Such as energy, necks and Redis that, a lot of customers, deploy. But. It's also a common, source of vulnerabilities. In many enterprise. Environment. So, to address that issue, we. Support, image. Whitelist in the policy in banner our association policy so, a security, stakeholder, could, say I. All, of, the Internet's are. Instances. Deployed in my organization, to be the. Up-to-date. Vulnerability. Free one. That, I deemed, ok so. He would put that in the policy and when, employee comes and try to push the latest secure engine X image the digest match and, search.

Appointment, Go through but. If somebody tries to push the outdated, vulnerable. Version, of the. Same sort of hard image it would, fail and generally, the auto log so the security team can review these incidents, later on and. This. Then and therefore, secure, your deployment, environment. By. Association, integrates with, kubernetes, master, to. Make sure it can apply verification. Apply the policies, to, every single deployment, that goes through your that. Goes to your production project. So. When a deployer comes along the deployer could be a human could be a automated. Pipeline that's not matter it. Sends a request to criminate. His master, that, says i am deploying, digest, fool with two, cluster bar which. Then would forward this, request to the emissions controller, which, is part of the Illuminati's, master um. If. This, project, or this cluster, has banners you can turn on, admissions, controller would forward this request, the, banner association, which, then would go look up all the, signatures. Associated, with, it come, back. Verify. Those signatures, using public, cheese defined in the policy, and. Return. A verification, decision. Once. Kubernetes, master. Receives the decision it can then go. Ahead either block or, allah. All all to deployment. What. But but you, know we understand, that production. Emergencies. To happen, woody, for your things are on fire so i'm gonna push a non-conforming, change we. Allow that arm. It's called brie class so. Again, deployer, comes along sets productions on fire i have the fixed quick fix here let, me just push it through i will specify break last flag, and. Request will reach kubernetes. As usual, goes through the whole verification, process. Federalization. Says note this is not conformant, but. Kubernetes. Master will say I'm overwriting it because, break, glass, flag, it sternal and this. Would generate LD log so, the break glass. Deployment. Event would. Can. Be reviewed later on. So. This, is battery authorization. Coming. Soon to beta which is announced beta today the code will be available shortly. Hopefully. I have convinced, you that. Code. Based deployment, control is more. Secure, than a comm based account, based deployment. Control and binary. Association would provide that for, our kubernetes. Engine. We. Will support runtime. Of. Policies. Associated with, the runtime environment, at. Both project, and cluster levels you can define enforcement. At different, granularities. Will. Have integrated, will, have integration, with, GC our vulnerability. Scanner as well, as the container, butor so, that you can apply deploy. Policies, based on, vulnerability. Findings and build. Information. Will. Support whitelisting. Trusted, third-party images, so. You can have. Standards. Across your organization, on what, third-party, image to run. In. Case of emergency. Break glass, well. Integrated was I am on order logging so, that you can review.

Failed. Attempts, break last deployment events, later on after the fact. We. Also want to make it really easy for you to integrate, this into your CI CDP I plan to make it easy for you to write. Finalization. Signatures, for image, so. We'll have partner support from popular, security, tools such as twistlock popular. CI CD tools such as copies, and jenkins to make it easy for you, last. But not least we, have open. Source reference implementation. For gracias, and Critias, so, you have the building block to implement, similar, security. Controls, for, your on-prem. Deploy. All. Right so that's that concludes, the overview of mineralization and, hopefully. I give you a taste, of how, to in how, to secure your software, supply chain using. This new product that we've announced next. Con will, hand the floor to Jonathan, Jonathan. Will. Show you guys a demo on binary, authorization, work in. Action and combined. With other security controls to secure Shopify's, production, environment, Jonathan. Cool. Look at that it works demos. Done thanks yeah. I wish so, hey everybody my name is Jonathan Pulsifer a production security engineer at Shopify before, we get started on this just want to go over what. Our production infrastructure, looks like at a pretty high level here. So if. You are a developer at Shopify and you have a repository that, contains, code and you want to turn that into a service you. Interact with this tool called services DB which. Which is where all the robots live so we're going to create your production identities and these sorts of things your kubernetes namespaces. And. All that and. The automation like like a build type pipeline will also be added. For you so, build, kite is not too unlike Google, Cloud container builder and we're gonna run through what that looks like today, after. Image is pushed up to up, to GCR we're. Gonna deploy it with a tool called shipit and a, gem which we've open-sourced called kubernetes deploy so please go check that out and once it hits kubernetes, there's a lot more automation, and magic that happens there with our cloud buddies our, cloud buddies are the name for our custom kubernetes controllers, that help keep our cloud fluffy, at Shopify and, further to that we, use a number of other GCP services, to help make our cloud go, so. The demo that I have for you today is a PCI compliant, demo as a security, person moving. Our compliance environments, into GK's been it's been a large project that we've been working on and, so we've, had the need to to, create these policies, which, helped us remain. Compliant so, Google, Cloud container, builder comes, PCI certified, out of the box so, we don't need to worry about that and we get some added, stuff for free like like, standard mentioned like the verifiable, build records and vulnerability, findings, so. So given that we've. Built the tool called Voucher so this this, slide is very similar to the ones that you've, seen earlier where, we've taken that open source signer and well, we've built something so I'd like to show you what that sonner looks like hopefully.

In. Real time so, what we're gonna do is run through a, two demo at two stations or signatures that are created. That. Are going through these integrations, that Sandra talked, about earlier, containing. No vulnerabilities and actually. Verifying. The build record, so. I'm going to flip over. To, my build triggers what, I've done here is I have two source. Repositories. In and, the in, Google, Cloud one. It's called bad and one it's called good and so, we're gonna run through those built, some containers what they're doing is they're triggering on each new get tag that's bushed so we're gonna we're gonna change the docker files up we're gonna we're gonna push some tags and we're gonna see. What voucher has, in store for us today. Maybe. So. Because luck demos are super, fun I, actually, haven't recorded, any. Of this so I'm gonna try to make it and. Look at that it's super quick that's awesome so, I'm gonna explain sort of the lay of the land here the, bottom left pane we're, gonna in the bottom right the bottom panes are the containers and the source repositories, that I talked about on the left hand side we, have our good container and the right hand side we have our bad outch, ur has. Been built and is listening in the top pane so we're gonna go through and show you these docker files for a good container we're. Gonna make some changes to it just. For funsies so, instead of echoing, hello, we're gonna echo hello - I just. Want you to note the, from. Directive, that, we're using here so alpine as hard as it may be to work with in production, actually, does not come stock with any vulnerabilities, fingers cross and nothing's changed since, the last dry run so. What I've done is I just, changed the docker file I'm. Gonna add the docker file gonna, read a little commit message and, say hi next, I'm. Going to tag this, with next, demo and. I'm going to get push, and. Get push tags now. Hopefully. When, this is up what's, going to happen is every time that, container. Builder. Finishes. A build and puts it into GC air it's. Going to create an event on pub/sub and so I'm listening to that that. Build notification, so Voucher should fingers. Crossed over that builds done pick, that up and do its thing so, while that's happening I'm, going to show you see, second. Docker file I just want you to notice the from line, don't. Mean to trash Ubuntu, but like come on alright fine so. We're just gonna do the same thing we're going to change your docker file, we're. Gonna add it I'm. Gonna read a commit message. And. Then we're gonna get push. And. You put get pushed eggs I. Do. The tag. Yeah. Good enough forgot my work anyway. So. Hopefully that's all done now so.

I'm Gonna walk you through this, output that we have from voucher I tried to make it as pretty as possible for the demo so here's. What happened, so. You can see that there's. A build event. That. We've inserted that this. This new container, this new image with a job and. What it's doing is actually gonna go through and pull the container analysis API to see if there if it's noticed that any new images have been pushed and see if it's gonna run through any analysis, and, we, can see that it's. Found, no discovery so it's going to wait for some and it found that the vulnerability, scanner, is gonna go through and do its analysis, that, actually finished and no vulnerabilities were found in. This container at. The same time it's. Going to run the provenance check the, provenance check is, verifying. That the, image. In, the. Verifiable, build record its checksum, actually matches the images that we want to deploy it that's actually hit GCR so we're actually making sure that the artifact has maintained. Its check, sums all through the pipeline. Snake-oil, is the, name of the check that we made that ensures that containers. Contain no vulnerabilities so. We can see that this past because alpine is pretty cool with that and. Actually worked as expected I just. Quit voucher here because we're done with it for now but. We see the second build event for, our bad container, and. We see it's doing the same thing it's waiting for analysis and oh look had found 32 vulnerabilities. In this container and just you. Know for fun I would decided at surface one of the critical vulnerabilities, so we have a critical vulnerability, in G let's see two to seven and there's a CD that's associated with it so this is makes sort of CEQA a little bit easier when we have to determine which which, vulnerability, is actually present in, an image. So. We, can see further that like after all those checks have been done we, can see the ACTA stations are being created so in the good container we have two ACTA stations created two signatures for. Provenance, and for snake-oil and. We see that the. SATA station was created for provenance for the bad container but, actually failed because it contained vulnerabilities, and we don't want any vulnerabilities, and the images that we deployed today so. Earlier. We talked about this. This. Policy. So. We're gonna take a look at the policy that we have set up for the clusters in our project. So, this policy.

For Binary authorization, contains. Some white listing because if we did in white list these. Three. Repositories. My, kubernetes cluster with the stars on G key so what I've just done done is this glob to every every. Image inside of those juicy our repositories, has been white listed for the purposes, of the demo please, do not do this at home okay. So, I'm gonna run through the rest of this we, have some cluster admission rules so, earlier. We said that we can we can specify a policy on a project level and on a cluster level so we're gonna try to demo both of those today so the cluster admission rules I have running in Canada or North. America North East one a, test, cluster in. An evaluation would require two station so what this means is that any image that deploys a binary authorization, is going to match these these, data stations and you can see that they're, named Providence. And snake-oil just. As we talked about for, all the other clusters running in this project we only want to make sure that it's. Built by a trusted identity and. That the image actually was validated so. Moment. Of truth we're, gonna try to deploy some images we're. Gonna grab our our. Good shot that. Passed then, we're going to keep, CTL, run. Good, times. We're. Going to try to run the thing. So. We're gonna do also. Come. On. Come. On hey look, at that. Then. We're also gonna grab the. Bad. Shot the one that failed and. We're going to keep, CTL, run, bad times. We're. Gonna deploy those you, know so, what. Do we all expect what happened, well. I I would certainly expect based on my policy, to have one good, times deployment, and no bad times deployment, so let's check it out and see what happened so, we. Could get some pods and sure. Enough the only one good, times pod is running because both add two stations have been created based on the policy that we created for our project and in the specific case our cluster admission rules so. Like cool, but. What. Does that mean for a developer how can we get any sort of actionable, feedback you, know where.

Where Does this live, how did that fail I'm. A command-line person, so. I'm gonna get the replica sets that have been created, here a deployment, in kubernetes is, like the highest level of abstraction which, creates replica sets and further to that creates, pods so. We've created the deployment object and said hey cool we want this container to run and it created a replica sense and hey cool we're gonna try to start this pod for you you, can see that bad times. Has. One container desired but none are ready so we're gonna see what happened with, that. Boom. Talk, about error messaging, so, for, those who don't know kubernetes controllers, are unlike TLDR, for loop so it's just gonna keep trying to do this thing over and over and over again and every, time that it tries we. Have an error creating the pod it's, forbidden because, it's an image policy, webhook back end denied one of our images right so every time that it gets deployed there's some shenanigans. And web hooks that fire around that helped us do its thing it was denied by the attestation authority, we cannot find any snake-oil. At the stations for this image such, that it failed, neat. So. What. About on all the other clusters. Just. To prove that the policy works, I created, a yellow cluster in here and what I'm gonna do is I'm, gonna try to run the bad times image the same one that was, attested, earlier. With voucher, and. Fingers. Crossed it, should deploy to my yellow cluster. Looks. Like it. Then. We have one bad x pod, running so this sort of proves that the policies are working as, intended I'm just gonna bring up that policy. To. Show you what that looks like everything's. Annulled these days such, as the policy and so, it's pretty easy to read it. Should be easy to read for not just security people but for other. Engineers, and operations people alike it's, important that, technologies. Like this are are human readable and easy to digest or, else we can't implement them properly. So. Further. To that bin, authors not just a command-line suite it does come with a fancy GUI now thanks. To our UX, folks over here who made. The way it is today so, I put some human readable descriptions, on our, honor, signatures, or our testers, just, to just to say what. This is actually doing such, that you know if I name something willy-nilly, like snake oil that. Doesn't mean anything to anybody but, having, a human readable description they're in a nice pretty GUI makes it really easy for those other, folks to understand you see what's going on. So. That's it, for my demo thank. You very much what I'm gonna do is. Continue. Presenting a couple slides so. We. Hit beta today which is super exciting and now our websites live so you can see it at a cloud at google.com slash binary authorization, now we are gonna be in the demo booth on the ground floor of Moscone, South later, so if you want to come hang. Out with us that would be awesome and we, are running some code labs for this sander. I think there there. Are code labs for this. In. Muskogee. There's a cool lab area, you must go nice also where he can go and, get, it. Has some machines set up we can get some hands-on experience.

Working. Through cool lab. So. Because. We're a security talk and we, like our security people there's a lot more on container security happening, here at next you know that it's been it's been the number one sort. Of topic these, days which is super exciting for me but. The one that we did really want to highlight is preventing, the next major security, breach, down to the bottom right corner. Tomorrow. At 1:15 that, is the talk about the juicy air vulnerability, scanner so if you want to learn more about how that works and, talk to the folks who made that happen, tomorrow. Afternoon is is where that's going to be. All. Right cool so, with the Russians. If. There are any questions there are mics actually, on on, either side so if you'd like to be recorded. Such that we can all hear you - that would be sick. We. Got one over here the less weight, other, left stage. Left sort. Of thing. Eeny. Meeny miny moe rock-paper-scissors Hey. I guess, I'll jump in. The. Binary, authorization. Output. That you were getting on the screen from. The command. Line there is that, available in stackdriver like, can we push that to our stackdriver logging, as well. So. Uh bye. Normalization, logs. All the. Deployment. Events to auto log which. Pushes, to, stack driver I believe so. You should be able to get that in fact driver without. There. There are two different pieces to this - right the the EV the actual kubernetes replica, set error as well which should be just found in regular kubernetes engine logs or other event logs when, binary authorization, creates its own distinct, audit, logs in these circumstances so, like the images blocked you're gonna have your regular kate's events that saying oh we can't start this pod because reasons you, can find that information there or in the audit log as well the. Other log is up sorry it's an auto lock it's basic it's the same place where GK yeah surface. They're all in log so, if you have that set, up you should be all good. All. Right so. Is this something we can bring in like say if we're not using gke, and we've got our own kubernetes set up on some other cloud providers it something we could bring in to use. So. We do have a open source reference implementation. As I mentioned it's. Open source so we love to. Hear your your. Knees and get your contribution, but. As is yes it is. Something, that, you can set up and to work with the open source criminal case is probably. Gonna. Take a little bit of configuration because, it's not a hosted solution you have to write of course pieces, together but yeah I thought. So I just want to confirm thank you github.com, /. Graphics. Github.com /, graphic read ease for. Both their reference implementations, thank you. I, so. I have two questions the. First one is. So. There's no extra steps, that you have to take like a deploy time for example could, you use an. Orchestrator, like helm and, still, do this. So. Every, deployment, that goes through gke, III, so you can you should just be able to deploy as usual. Shouldn't. Be any the. Deployment, process for. The vast majority of. Deployments. Should it change unless you're deploying something that does not meet policy. Yet. There, are some integration work you have to do with, your C sed pipelines to produce a signature okay. And then, how. Would you apply the policy, is it just a g-cloud command. Yeah. We have a particular, command and a. UI. Then. Can't you find the policy yeah okay, thank you. I'm. Curious, about where the private. Signing Keys live especially. If you're using the open source stuff and can't, use the integrated. Yeah. So -, unfortunately. You'll have to manage your own private. Key. For. The for the open source version as, well as for the hosted version for now. We. Are looking. At different, integrations, we'll love to hear. Your.

Requirement, On where we should take this and make it more, easier. To use for you in. The case of the demo it's just PGP, keys and we have a tool called a JSON at Shopify that we use just to encrypt it and keep it in the same source repository, so, GPG. In a dream. Are. You planning - are. You planning to offer a hosted. Like, voucher signing, service, or is. That something that we have - that's, definitely something that we're thinking of I'll, come. Talk to me afterward. And. Like. To get your requirements. On that. How. Does this compare to. They. Call it container. Signing, image signing, with. A product, like twist lock is this basically, the same or are there differences, that. You know haven't necessarily been called out know we actually integrate, with with twistlock so. If you're a twistlock user and you, have your scanner set up and. You have your scanner policy set up so, while, your, image, passes. The twistlock scan or twist lock would sign, the image which. Can, then be, enforced. At deploy, on our gke. There. Are other types, of. Products. Out there maybe like would, you be like talker content trusts things. Like that that also. Involves, image signing but that's more around the software. Distribution. Protection. Versus. A. Sort. Of. Provenance. Enforcement. So the, difference there is. Well. Software's. Are distributing, an open, Internet, environment. They may get altered, while, it's moved, from. Repositories. Repository, and signatures. Such as darker content trust makes sure that the software has not been altered it. Comes from a trusted source a pattern. Authorization, takes sort of a slightly different approach. Focusing. Our largely. Collaborative. Environment, which is enterprise organization, and you, want to make sure that the software you deploy has passed certain, tests. That are hosted by you that you have control, okay. All. Right great no, more questions um as. John, mentioned we're, gonna be at the demo booths around, 2 o'clock so if you want to come and check out and hell with us you're welcome and, thank. You all for coming. Thanks.

2018-08-13 17:32

Show Video

Comments:

! I really love this clip ;)

Other news