Hardening the Kubernetes Software Supply Chain Through Better Transparency


Authors:   Nabarun Pal, Verónica López González, Adolfo García Veytia


Software supply chains are gaining increasingly complex nowadays, especially when it is about deploying cloud native environments securely. After refactoring the Kubernetes release process over the past years, SIG Release efforts have shifted towards three main areas of work. In this talk, Verónica, Nabarun, and Adolfo will cover all of them in-depth: * Starting with Kubernetes v1.22, every release includes an SPDX Bill of Materials describing the source code, binaries, and all published images. * Automatic verification of the integrity and consistency of release artifacts as part of the Kubernetes Release process. * Digital signing of released artifacts and signature verification of upstream images. In the final part of the presentation, the speakers will demonstrate some of the tools that SIG Release has created, which can be leveraged today by the community in other projects, too.


Post a comment

Related work

Authors: Carlos Panato, Adolfo García Veytia

Authors: Carlos Panato, Jeremy Rickard, Sascha Grunert, Adolfo García Veytia

Authors: Carlos Panato, Adolfo García Veytia, Stephen Augustus