Checking the Chains at the Gate: Building Supply Chain Policies with Gatekeeper and Ratify

The presentation discusses the challenges of producing software bills of materials (S-BOMs) and the use of gatekeeper and external data to enforce policies in Kubernetes clusters.

• Producing S-BOMs for Windows is a complex task that requires new tools and frameworks.
• Automation is necessary to make S-BOMs useful and enforce policies in clusters.
• Gatekeeper, based on Open Policy Agent, can be used with external data providers to enforce policies in Kubernetes clusters.
• OCI 1.1's refers API allows for the association of S-BOMs and signatures with images in registries.

The speaker explains that producing S-BOMs is not enough, as they need to be useful and enforce policies. They suggest using automation and gatekeeper with external data providers to achieve this. They also mention the new refers API in OCI 1.1, which allows for the association of S-BOMs and signatures with images in registries.

If you're running Kubernetes in production, you've probably thought about how to keep your clusters and their workloads in compliance with corporate or regulatory policies. In Kubernetes, you'll probably do this with an admission controller. An admission controller intercepts requests to the Kubernetes API server and allows you to validate or change it. Gatekeeper is an Open Polciy Agent based admission controller that enables enforcement of CRD-based policies. These policies normally act on data within the request or other static data within your cluster. However, sometimes that's not enough. As Software Supply Chain security becomes more important, our policies need to consider more external artifacts. Maybe you want to verify that images are signed or that the SBOM for a service doesn't have that latest OpenSSL CVE. Gatekeeper's external data feature allows you to do just this, through the use of plugin providers. Ratify is an open source project that enables verification of supply chain artifacts and can act provider for Gatekeeper. In this talk, Jeremy will show how to you can use Gatekeeper, Ratify, and OCI registries to develop supply chain security focused policies for your clusters, as well as how to write your own custom verifiers to meet evolving policy requirements.