Signed, Sealed, Delivered - Sign and Verify All the Things - Jeremy Rickard, Microsoft
Abstract
You’re a cluster operator facing evolving supply chain threats. You’re getting hit with rate-limits causing service availability issues. A configuration change made it into production and deployed unapproved images. Someone got access to your registry and tampered with an image. How do we handle these threat vectors? Digital signing and policy enforcement can help! In this talk, we’ll look at how CNCF projects like ORAS, Notary, Flux, and Kyverno can be used together to ensure that everything in your production clusters, from images to configuration YAML, comes from a trusted source and has been digitally signed to ensure it hasn’t been tampered with and. how to do this with a registry you control. You’ll leave this session with knowledge of how these tools work together to enable you to protect your clusters, some of the gaps, and how you can address them. Jeremy will walk through a complete end-to-end experience and provide a Github repo with samples to take home.