Everyone has heard about supply chain security in the last year. The Solarwinds hack and President Biden's Cybersecurity Executive order have forced the industry to start taking it seriously. In the same period the Kubernetes ecosystem has taken large strides in coming up with credible solutions and tooling for addressing some of the problems.
This session will begin with an overview of the issues and why they're important, before moving onto look at how we can use tooling to begin addressing them. In particular, we will look at using Sigstore to add provenance data to a container image and Kyverno to verify the data in a Kubernetes cluster.
Finally, we will end with a look at what still needs to be done to truly address our supply chain security issues.
Adrian has been involved with containers from the early days of Docker and authored the O’Reilly book “Using Docker” (https://atlas.oreilly.com/oreillymedia/using-docker). He works at Chainguard (chainguard.dev) whose mission is to make the software lifecycle secure by default. He is currently investigating how to enable companies to create secure container images without sacrificing usability or performance.