Trust But Verify: Bringing Supply Chain Integrity To CD GitOps

The talk discusses the issue of supply chain controls in CD GitOps automation and proposes a solution to ensure integrity and tamper-proof deployments.

• CD GitOps lacks supply chain controls needed for integrity and tamper-proof deployments
• Properly instrumented CD GitOps process can provide verification of source assets with cluster enforcement of signatures and policy permissions
• Keyless signing via Sigstore and intersecting control points throughout GitOps can obtain accurate cryptographic signing of source assets and transparency of configuration provenance
• Admission controller such as Integrity Shield can validate pipeline integrity

The talk explains how a properly instrumented CD GitOps process can be extended to provide verification of source assets with cluster enforcement of signatures and policy permissions. By combining keyless signing via Sigstore and intersecting control points throughout GitOps, accurate cryptographic signing of source assets can be obtained and transparency of configuration provenance produced. Finally, using an admission controller such as Integrity Shield, cluster enforcement validates pipeline integrity.

Using GitOps automation to deliver Kubernetes cloud native applications allows management of infrastructure in the same way you manage application code, but lacks the supply chain controls needed to ensure integrity and tamper-proof deployments. Whilst application source dependencies have quickly benefited from SBOMs, transparency logs, and cryptographic signatures, delivery side automation has not participated in the end to end integrity guarantees. Using CD Gitops, Kubernetes manifests are composed from multiple source assets, across several locations, each having their own potential sources of malicious or accidental tampering. Template based mutations occur throughout continuous deployment and prohibit typical signing and verification methods. This talk describes how a properly instrumented CD GitOps process can be extended to provide verification of source assets with cluster enforcement of signatures and policy permissions. By combining keyless signing via Sigstore and intersecting control points throughout GitOps, accurate cryptographic signing of source assets can be obtained and transparency of configuration provenance produced. Finally using an admission controller such as integrity shield, cluster enforcement validates pipeline integrity.