Explore the latest advancements in hardening the Kubernetes software supply chain through enhanced transparency in this informative conference talk. Delve into the three main areas of focus for SIG Release efforts following the refactoring of the Kubernetes release process. Learn about the inclusion of SPDX Bill of Materials in Kubernetes releases since v1.22, automatic verification of release artifact integrity and consistency, and digital signing of released artifacts with signature verification of upstream images. Gain insights into the tools created by SIG Release that can be leveraged by the community in other projects. Discover how these efforts contribute to deploying cloud native environments securely in increasingly complex software supply chains.
Hardening the Kubernetes Software Supply Chain Through Better Transparency
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
Introduction
Past Years: Foundations a New Release Process
Ownership of the Container Image Promoter
Current Efforts for 2021 and Beyond
SLSA Compliance
People+Code (We need to talk)
Closing Remarks
Taught by
CNCF [Cloud Native Computing Foundation]
Related Courses
-
How SIG Release Cooks Trustworthy Artifacts From Raw Source Code - Kubernetes Build Process
-
Releasing Kubernetes Less Often and More Securely - SIG Release Update
-
Secure Your Project with the SIG Release Supply Chain Kit
-
Open Tools for Secure Supply Chains in Kubernetes - From Release Engineering
-
Sign, Attest, and Verify - A Practical Guide for Software Supply Chain Security
