November 13–15, 2018 - Shanghai, China
Click Here For Information & Registration

To view the Chinese version of this schedule please go here.

Simultaneous translation will be provided for all keynote and breakout sessions.
Wednesday, November 14 • 15:35 - 16:10
Securing the Deploy Pipeline - Felix Glaser, Shopify

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Imagine taking arbitrary code, deploying it to production, and hoping everything is secure. When we don’t lock down our deployment pipelines and deploy arbitrary containers, we do exactly that. Join us to discover Shopify’s solution.

After a container is built, we run checks to determine its state: Is it free from vulnerabilities and outdated software? Does it originate from the correct deploy pipeline?

For every successful test, the container is signed and the signature stored in Grafeas.
During deploy time, the Kritis admission controller enforces the presence of the signatures.

Because the security state of a container can change, we log the metadata created during a container’s lifetime; if it becomes vulnerable, it can be recalled, fixed, and redeployed.

With Grafeas and Kritis, two new tools join Kubernetes, allowing everyone to prevent privilege escalation via code deployment.

avatar for Felix Glaser

Felix Glaser

Senior Production Security Engineer ☁️ 生产安全工程师 ☁️, Shopify
Felix likes to climb, cycle, and code in Canada. The first two outside and the other one at Shopify, where he works on securing containers and their deployment into the cloud.

Wednesday November 14, 2018 15:35 - 16:10
305 B