The new old: Supply Chain Security

(with Kubernetes this time)


Playlists: 'froscon2023' videos starting here / audio

We are the SiC (Signed Container) project and in this talk we give an overview about the problems Kubernetes and its tooling poses in the context of supply chain security, followed by a general introduction to the Sigstore tools, that are an answer to some of those problems, specifically artifact signing and validation. Finally, we will present our project results, in which we implemented an end-to-end container signing and verification process for IRIS-Connect with said tools with the aim to define a distribution like, batteries included setup to ease the migration to a world in which containers are signed and validated automatically in a distributed fashion.