Source URL: https://cloud.google.com/blog/products/identity-security/how-were-making-gke-more-secure-with-supply-chain-attestation-and-slsa/
Source: Cloud Blog
Title: How we’re making GKE more transparent with supply-chain attestation and SLSA
Feedly Summary: What goes into your Kubernetes software? Understanding the origin of the software components you deploy is crucial for mitigating risks and ensuring the trustworthiness of your applications. To do this, you need to know your software supply chain.
Google Cloud is committed to providing tools and features that enhance software supply chain transparency, and today we’re excited to announce that you can now verify the integrity of Google Kubernetes Engine components with SLSA, the Supply-chain Levels for Software Artifacts framework.
SLSA is a set of standards that can help attest the integrity of software components. We’ve begun to publish SLSA Verification Summary Attestations (VSAs) for GKE’s Container-Optimized OS (COS) virtual machine (VM) images to GitHub. We’ve also enhanced Google Compute Engine (GCE) audit logs to include VM image identifiers, and begun to route GKE Kubernetes Control Plane GCE audit logs to customer projects. This allows you to use SLSA VSAs to authenticate the VM images used in your GKE clusters.
aside_block
GCE audit logs improvements
Google Compute Engine audit logs now include the GCE image ID in records related to instance creation events (such as insert, bulk insert, and update operations) when an instance is created from an image. This allows you to trace the precise image used to launch each instance even if an image is deleted and recreated with the same name, as each image instance has a unique immutable ID.
The ID is used to uniquely identify the image when verifying its provenance and integrity using the SLSA VSAs described below. This can provide an invaluable audit trail for security and compliance purposes.
We introduced a new attachDisks field, under usedResources in the metadata field, that for attached disks records the source image name, source image id, and whether it was used as the boot disk. You can find this information in the Logs explorer using a query like:
code_block
<ListValue: [StructValue([(‘code’, ‘resource.type=”gce_instance" ANDprotoPayload.methodName="v1.compute.instances.insert"’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e5a603206a0>)])]>
GCE instance insert audit log record with VM image id field
GKE Control Plane audit and integrity logs now forwarded to your project
New GKE clusters running version 1.29 or later now forward their Control Plane GCE audit logs records for insert, bulk insert, and update operations, and their Shielded VM integrity logs, to the customer project hosting the GKE cluster.
You can identify Control Plane VM instance log records by the presence of a new metadata field. To view the logs use a log explorer query like:
code_block
<ListValue: [StructValue([(‘code’, ‘resource.type="gce_instance" AND (jsonPayload.metadata.isKubernetesControlPlaneVM="true" OR protoPayload.metadata.isKubernetesControlPlaneVM="true")’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e5a658a9850>)])]>
Additionally, we’ve added to the forwarded logs a new parentResource map under metadata with two fields, parentResourceType, with a value of “gke_cluster”, and parentResourceId, with the cluster hash as a value, so you can tell which cluster the VMs in the forwarded log records belong to in case you have more than one cluster per project.
This enhancement allows you to gain visibility into the VM images used to create the Control Plane VMs, and the integrity status of the instances, further strengthening your ability to audit and secure your GKE clusters.
KCP VM instance audit log record forwarded to customer project
GKE bolsters VM image verification with SLSA VSAs
Google Kubernetes Engine (GKE) is taking a significant step forward in supply chain security by publishing SLSA Verification Summary Attestations (VSAs) for GKE Container Optimized OS (COS) based VM images. These attestations are available in the Google Cloud GKE VSA GitHub repository. This initiative can provide you with cryptographic proof of the integrity and provenance of the GKE VM images you’re using, help ensure that they haven’t been tampered with, and that they originate from a trusted source.
To locate a VSA for the COS VM image used in your GKE VM instances. Look in the folders at the root of the GitHub repository:
The folder gke-master-images:78064567238 contains VSAs for the Kubernetes control plane VM images.
The folder gke-node-images:238739202978 contains the VSAs for the node VM images.
Using the image ID found in the audit logs you can locate the matching VSA. For example, gke-node-images:238739202978/gke-12811-gke1044000-cos-109-17800-218-52-c-pre:3031893369549136349.intoto.jsonl is the VSA for the the node VM image with an id of 3031893369549136349.
Independent verification with slsa-verifier
You can independently verify the authenticity of GKE VM images using the open-source slsa-verifier tool. This tool allows you to validate the integrity of your GKE VM images by combining the GCE image name and ID, the VSA, and Google’s VSA public signing key.
The public key is
code_block
<ListValue: [StructValue([(‘code’, ‘—–BEGIN PUBLIC KEY—–\r\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeGa6ZCZn0q6WpaUwJrSk+PPYEsca\r\n3Xkk3UrxvbQtoZzTmq0zIYq+4QQl0YBedSyy+XcwAMaUWTouTrB05WhYtg==\r\n—–END PUBLIC KEY—–‘), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e5a658a93d0>)])]>
To verify a VM image use slsa-verifier as follows:
code_block
<ListValue: [StructValue([(‘code’, ‘slsa-verifier verify-vsa \\\r\n –attestation-path "${VSA_PATH}" \\\r\n –resource-uri gce_image://${VM_IMAGE_PROJECT_NAME}:${VM_IMAGE_NAME} \\\r\n –subject-digest gce_image_id:${VM_IMAGE_ID} \\\r\n –verifier-id https://bcid.corp.google.com/verifier/bcid_package_enforcer/v0.1 \\\r\n –verified-level BCID_L1 \\\r\n –verified-level SLSA_BUILD_LEVEL_2 \\\r\n –public-key-path "${KEY_PATH}" \\\r\n –public-key-id keystore://76574:prod:vsa_signing_public_key’), (‘language’, ”), (‘caption’, <wagtail.rich_text.RichText object at 0x3e5a658a9c70>)])]>
where
VSA_PATH is the path to the VSA file
VM_IMAGE_PROJECT_NAME is the name of the project hosting the VM image (e.g., gke-node-images)
VM_IMAGE_NAME is the image name (e.g., gke-12811-gke1044000-cos-109-17800-218-52-c-pre)
VM_IMAGE_ID is the image ID (e.g. 30318933695491363493)
KEY_PATH is the path to the saved public key
Next steps
These enhancements reflect Google Cloud’s commitment to providing you with the tools and capabilities needed to help build and manage secure, transparent software supply chains. To learn more about how to verify the integrity of the GKE control plane check out the user guide. You can find more information on securing your GKE cluster in the documentation.
AI Summary and Description: Yes
Summary: The text outlines Google Cloud’s advancements in software supply chain transparency, specifically regarding Kubernetes Engine components and their verification through the SLSA framework. This is particularly relevant for security and compliance professionals as it enhances the security posture of cloud deployments while improving software trustworthiness.
Detailed Description:
The article emphasizes the importance of understanding the software supply chain in Kubernetes deployments to mitigate risks and enhance application trustworthiness. Key points include:
– **Introduction of SLSA**: Google Cloud now verifies the integrity of Google Kubernetes Engine (GKE) components using the Supply-chain Levels for Software Artifacts (SLSA) framework. SLSA provides a standardized approach to attest software integrity and provenance.
– **Verification Summary Attestations (VSAs)**: Google Cloud has started publishing SLSA Verification Summary Attestations for the Container-Optimized OS (COS) VM images associated with GKE. This offers cryptographic proof ensuring that VM images have not been tampered with.
– **GCE Audit Logs Enhancements**:
– Inclusion of unique GCE image IDs in audit logs for instance creation events, which aids in tracking the specific images used, enhancing audit trails for security and compliance.
– New metadata fields record information about source images, contributing to improved vulnerability assessments and traceability of resources.
– **Control Plane Logs**: New GKE clusters publish their Control Plane GCE audit logs and Shielded VM integrity logs to the customer’s project. This allows for a clearer view of which VM images are used and their integrity status.
– **Independent Verification**: Users can leverage the open-source `slsa-verifier` tool to independently confirm the authenticity of GKE VM images by combining key elements such as GCE image names and associated IDs.
– **Next Steps**: Google encourages users to utilize provided tools and documentation for verifying the integrity of GKE components, underlining their commitment to maintaining secure software supply chains.
Overall, this development represents a significant advancement in managing software supply chain risks in cloud-based environments. It aligns with best practices in security and compliance, offering professionals tools to enhance the integrity, security, and traceability of their cloud infrastructures.