Cloud Native Rejekts EU (Valencia) 2022

Enforcing a Secure Supply Chain on Kubernetes
2022-05-15, 16:55–17:25, Main Room

A series of exploits and vulnerabilities made everybody aware about the importance of having a Secure Supply Chain story in place.
But how hard is to implement a Secure Supply Chain and, most important of all, how to take advantage of it inside of our Kubernetes clusters?
Moreover, how can we ensure our clusters stay compliant and how can we quickly assess whether we are running workloads that are affected by the latest CVE that has just been announced?
This talk explains how to implement a Secure Supply Chain using Open Source projects, and enforce it in our cluster with an Admission Controller.


Creating a Secure Supply Chain initiative can be confusing. There are many aspects to take into consideration and many projects that need to be put together in order to do that.
Moreover, having a Secure Supply Chain is only part of the solution. There must be ways to leverage the information coming from the supply chain in order to keep Kubernetes clusters secure and compliant.
This talk provides a concrete example about how to achieve a Secure Supply Chain with Sigstore, which then we enforce in the cluster with an Admission Controller.
We aim to share our experience with the community on implementing Secure Supply Chains.

Víctor started its involvement in Open Source in university, contributing to Debian. Nowadays, he works as software developer on security projects such as Kubewarden, as part of SUSE Rancher, and before, as an automation engineer for cloud native distributed technologies based in Cloud Foundry, and Openstack.