Explore Datadog's approach to image signing and runtime verification at scale in this conference talk. Delve into the challenges of securing container images across diverse engineering environments and learn about Datadog's unique solutions. Discover their service-oriented approach to image signing, which simplifies adoption across heterogeneous build environments. Understand why they chose to validate image signatures at runtime using a containerd plugin system instead of Kubernetes admission controllers. Gain insights into the design decisions, implementation details, and real-world experiences of operating this system in production. Learn about signature metadata, formats, and registry layouts, as well as the benefits of a signing service for least privilege and auditability. Examine the developer perspective, distribution of verifier configurations, public keys, and image revocation lists. Conclude with valuable takeaways and recommendations for implementing similar systems in your own environment.
Image Signing and Runtime Verification at Scale - Datadog's Journey
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Syllabus
Intro
Why sign & verify images?
Modern Consensus on Image Signing
Signature Metadata in a Registry
Signature Format: Payload
Signature Format: Envelope
Signature Format: Registry Layout
Signing as a Service
Signing Thin Client
Signing Service: Least Privilege & Auditability
Signing Service: Encapsulation
Validating Admission Webhooks
Image Verification in containerd
Developer Perspective
Distributing Verifier Config
Distributing Public Keys & Mode
Distributing Image Revocation List
Challenges & Recommendations
Takeaways
Taught by
CNCF [Cloud Native Computing Foundation]
