[tptacek]

Has anyone outside of Google implemented something similar in spirit to this for K8s or ECS? What was the threat model you were considering when you built it? Was it worth it?

[mayakacz]

Yes, there's a few listed in this blog post: https://cloud.google.com/blog/products/identity-security/bey... - Kubernetes admission controllers, OSS part of Kubernetes: https://kubernetes.io/docs/reference/access-authn-authz/admi... - Kritis, OSS: https://opensource.google/projects/kritis - OPA Gatekeeper, OSS: https://github.com/open-policy-agent/gatekeeper - Binary Authorization on GKE/Anthos: https://cloud.google.com/binary-authorization/ They don't all do all the pieces. The hardest part is going to be integrating whatever enforcement solution you choose with your upstream CI/CD pipeline.

Disclosure: I work at Google and helped write this whitepaper on Binary Authorization for Borg.

[ImJasonH]

Kritis[0] is a K8s implementation of this that intends to block deployments of images that haven't been properly vetted beforehand, or has critical vulnerabilities, etc.

Whitepaper: https://github.com/grafeas/kritis/blob/master/docs/binary-au...

[0] https://github.com/grafeas/kritis