Make the Secure Kubernetes Supply Chain Work for You

The presentation discusses the importance of provenance and attestation in the DevOps process, specifically in the Kubernetes project.

• The speaker emphasizes the need for general-purpose tooling to make the process as efficient as possible
• The S1 standard from the Linux Foundation is used to issue the S-bomb
• Two main patterns for attestation are discussed: binary calling and web hook
• Signing and verifying artifacts is crucial to prevent compromised dependencies
• Provenance information is necessary to understand the build process and detect errors

The speaker uses a Star Wars analogy to illustrate the consequences of not having provenance information and signing artifacts

Starting in Kubernetes 1.22, SIG Release started building new security features into Kubernetes releases to make the project a better citizen in the software supply chain. The push to secure the release process has produced tools and processes that have improved the way other projects in the ecosystem are released. At the same time, we have made sure that Kubernetes plays well in the wider chain: verifying what we get from upstream and making sure consumers of our artifacts can trust what they get from us. This talk will give an overview of lessons learned and tools we have created that you can reuse in your own projects to secure your releases. It will center around three key moments and technologies: The initial effort involved producing SBOMs to describe sources and artifacts along with their dependencies. Then, we'll understand the provenance attestations that make the release process SLSA compliant. Finally, we'll see how digital signatures are implemented in the project.Click here to view captioning/translation in the MeetingPlay platform!