logo

Hardening the Kubernetes Software Supply Chain Through Better Transparency

2021-10-13

Authors:   Nabarun Pal, Verónica López González, Adolfo García Veytia


Abstract

Software supply chains are gaining increasingly complex nowadays, especially when it is about deploying cloud native environments securely. After refactoring the Kubernetes release process over the past years, SIG Release efforts have shifted towards three main areas of work. In this talk, Verónica, Nabarun, and Adolfo will cover all of them in-depth: * Starting with Kubernetes v1.22, every release includes an SPDX Bill of Materials describing the source code, binaries, and all published images. * Automatic verification of the integrity and consistency of release artifacts as part of the Kubernetes Release process. * Digital signing of released artifacts and signature verification of upstream images. In the final part of the presentation, the speakers will demonstrate some of the tools that SIG Release has created, which can be leveraged today by the community in other projects, too.

Materials:

Post a comment

Related work


Authors: Carlos Panato, Adolfo García Veytia
2023-04-20

Authors: Carlos Panato, Jeremy Rickard, Sascha Grunert, Adolfo García Veytia
2022-10-26

Authors: Carlos Panato, Adolfo García Veytia, Stephen Augustus
2022-05-18