Kritis Change Proposal

[Qifan Pu]

Dear Kritis Community,

We will be implementing the changes outlined below, as part of Kritis 0.2. The changes bring better compatibility between Kritis and its Google Cloud counterpart, Binary Authorization (https://cloud.google.com/binary-authorization/), in terms of feature parity (e.g., whitelist, key rotation support) and semantic consistency (e.g., naming, all attestor semantic, secret key location). Please let us know if you have any comments or suggestions on these changes.

Rename Kritis Attestation Authority to Kritis Attestor

We will rename Kritis Attestation Authority to Kritis Attestor. This change will make the naming consistent with Binary Authorization. 

Allowlist Support for Kritis GAP

Currently, Kritis cannot specify allowlist in the Kritis Generic Attestation Policy (GAP). Adding allowlist enables cluster admins to specify which images they don't need to verify against the policy.

Supporting Multiple Keys in Kritis Attestor 

The change to Kritis Attestor is to support multiple keys, with “verifiable by ANY key” verification semantics. This is mainly to support key rotation.

All Attestor Semantics for Generic Attestation Policy

We want to change Kritis Generic Attestation Policy (GAP) semantic to “all attestors”. Currently the semantic is ANY for the purpose of key rotation, which will be addressed by the previous proposed change (supporting multiple keys in Kritis attestor).  The change achieves compatibility with Binary Authorization.

Move Secret Key in Kritis Attestor to Kritis ISP

Kritis Image Security Policy (ISP) currently contains names of attestors, and each attestor in turn contains a secret key name.  This secret key name will be moved out of attestor and into ISP. This change brings a clearer separation of responsibility for attestor, now verification only, and leave signing for ISP. Attestor/Attestation Authority now also contains no sensitive data, thus simpler management.

Cheers,

Qifan on behalf of the Kritis Team