Filling the Gaps in Kubernetes Flavored SLSA with Threat Modeling

The presentation discusses the use of Salsa standards and Tecton in threat modeling and securing CI/CD systems on Kubernetes.

• Salsa sets standards for build system execution to ensure trustworthiness
• Threat modeling for build system on Kubernetes identifies additional threats and ways to mitigate them
• Tecton can do more to verify image provenance and address volume isolation
• Spire can be used to catch tampering with Tecton CRDs
• Trusted resources in Tecton ensure execution of intended tasks and pipelines

The presentation highlights the importance of verifying image provenance to prevent compromised step images. Tecton could fetch provenance of images and verify them before use, but this requires making Providence for more images. The presenter notes that this creates a 'chicken and egg' problem, but suggests that Tecton could address this in the future.

SLSA is an emerging standard for supply chain security that makes it easier to reason about threats and mitigations, but how do we make it work for Kubernetes? It can be difficult to analyze the security posture of a Kubernetes based CI/CD platform, let alone mitigate the threats. Threat modeling to the rescue! Using Tekton as a case study, Priya and Christie will walk you through a threat model analysis of CI/CD execution on Kubernetes, identifying trust boundaries that can be exploited by malicious external actors, internal actors and even privileged admins, and mapping these trust boundaries to SLSA standards. They will demo how Tekton has complied with this standard by utilizing open source projects like Sigstore and SPIRE. You'll leave this talk with a deeper understanding of supply chain security and of how to mitigate potential threats to building artifacts on Kubernetes.