Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Marina Moore, Santiago Torres-Arias

2022-10-27

Download the code ahead of time. DCO Required.Join us for some live collaboration on TUF, in-toto, and Sigstore where we will be implementing new features and creating more cohesive integrations between these software supply chain projects.This Contribfest session is designed to provide projects with the space and resources to tackle outstanding technical debt, security issues, or outstanding impactful feature requests. They are intended to provide a place for maintainers to meet contributors and potential contributors and work together on solving a problem.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Urvashi Mohnani, Peter Hunt, Mrunal Patel

2022-10-27

As CRI-O approaches CNCF graduation, it continues in its mission to provide a stable and secure OCI implementation of the Kubernetes CRI. Join the CRI-O team as they give an overview of CRI-O as well as talk about some new work, such as the progress on the new container monitor conmon-rs, rewritten completely in Rust. The team will also talk about the integration with sigstore to secure CRI-O’s supply chain as well as some of the interesting work being done in CRI-O to stay in-line with upstream Kubernetes. These include the stats collection rework as well as the work to support evented PLEG. Audience members will leave with an understanding of what CRI-O is, and where it is going.

Conference:  KubeCon + CloudNativeCon North America 2022

Authors: Jesse Sanford, Jason Hall

2022-10-26

Secure software supply chain practices have begun to permeate all aspects of software development. But what about the orchestration of our infrastructure? With the proliferation of infrastructure as code, many of the same threats posed to software supply chains are also threats to our IaC ecosystems. IaC provides clear advantages to platform teams, bringing uniformity and productivity to developers, but with the great power bestowed to it, it also presents a juicy target for supply chain attacks, often while no one is looking. It's only a matter of time before our Site Reliability Engineers will need to defend against the same attack vectors as their Software Engineer counterparts. How can DevSecOps practitioners learn from the patterns and practices being developed by projects like SLSA? Can IaC pipelines build on tooling like Sigstore and in-toto? This talk covers the application of software supply chain security principles to modern IaC pipelines. Jesse and Jason discuss design changes to the Crossplane package management system and it’s forthcoming integration with Sigstore, enabling IaC provenance and attestations. Finally, a demo showcasing the equivalent of “admission control” for IaC will provide inspiration for further work on Secure IaC Supply Chains.