Grafeas Project Debuts to Improve Kubernetes Supply Chain Security

A new open-source effort backed by Google, IBM, Red Hat and others launches to provide auditing and governance for the container software supply chain.


Understanding where software comes from and how it was built is a cornerstone of good security hygiene. In an effort to further improve security for the open-source Kubernetes container orchestration platform, multiple vendors have come together to launch the Grafeas project.

Grafeas which means "scribe" in Greek, is an open-source project that is intended to provide audit and governance capabilities for the microservices container software supply chain. The effort is being backed by Google and has the support of JFrog, Red Hat, IBM, Black Duck, Twistlock, Aqua Security and CoreOS.

"The API spec for Grafeas was initially developed internally at Google, and we iterated on the design through many conversations with our launch collaborators and early testers," Stephen Elliot, product manager of Google Cloud, told eWEEK. "We incorporated the feedback from those conversations, and Grafeas represents an open-source version of our internal implementation."

In addition to Grafeas, Google is introducing a Kubernetes policy engine called Kritis (Greek for "judge"). Kritis is able to use metadata information collected by Grafeas to inform policy decisions on what should or should not run in a Kubernetes cluster.

"Kritis is inspired by internal developments to secure Google's cloud applications and discussions with early testers outside Google," Elliot said. "One other outcome of Google's internal efforts is the Kubernetes ImagePolicyWebHook plugin, which allows delegating admission control decisions to an external service."

Google is using the ImagePolicyWebHook plugin to connect Kritis to the Kubernetes platform, according to Elliot. He noted that the admission decision for a container is made through a configurable web service, allowing a simple integration with the Kritis service.

Among the vendors backing the Grafeas project is IBM, which is participating in the effort to help further provide capabilities that ensure the trust of workloads running within a Kubernetes cluster.

"For example, Grafeas will be used to protect and restrict the scheduling of containers where the images have known vulnerabilities," Dan Berg, distinguished engineer at IBM Cloud, told eWEEK. "Another integration point that I would like to see via extensions to Grafeas is the ability to block scheduling of images that have not been signed by a trusted authority."


Elliott said one core design aspect of Grafeas is to provide a stable, content addressable and cryptographically secure reference to the software artifact. While Grafeas has a cryptographically secure reference to software artifacts, it doesn't by default secure against potential tampering.

"Grafeas enables storing the information, but it does not address securing the information against tampering through cryptographic means," Elliot said. "For individual metadata types, this is done based on their security needs."

For example, Elliot noted that Kritis uses signature-based attestations to ensure attestations can't be forged. In the initial release, he said administrators will control the keys and will need to configure the enforcement policy accordingly.


The idea of understanding the provenance and composition of a container is not a new one, with multiple previous efforts already in the market, including IBM's Vulnerability Advisor, Red Hat's Container Health Index and Docker's open-source Notary effort. The goal with Grafeas, according to the project's backers, is to complement and go beyond what is already available.

"Should someone be invested in notary, Grafeas can use it as a metadata source," Mike Barrett, senior principal product manager for OpenShift at Red Hat, told eWEEK

Red Hat's own Container Health Index, which was launched in May 2017, is also an example of a source for metadata that Grafeas will be able to store about the container. Barrett added that Grafeas with Kritis helps to bring together scanning, signing, providence, chain of trust, identity, layer identification, software life cycle stage and other road-to-production concerns and match them to design automations for Kubernetes pods.

"This will allow for auditing and governance like we have never seen before in the container and container orchestration space," Barrett said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.