Open Source Summit North America 2023

Recently we have seen challenges in the global consumer supply chain while the SolarWinds hack highlighted software supply chain weakness. The lack of software supply chain security has become a common attack vector for malicious code. When working with containers, it is important to ensure that processes are secure and controlled and be mindful that this is a multifaceted concern. While we can use a number of tools to scan for vulnerabilities, using digital signatures is a great way to ensure your code is exactly what is intended. Today, we will compare different options for signing container images and work through a demo using Notary, Gatekeeper, and Ratify. Notary is an open source project designed on TUF (The Update Framework) which is a specification for managing trusted application code. Gatekeeper is a customizable admission webhook for Kubernetes that enforces policies executed by the Open Policy Agent (OPA). Ratify is a workflow engine that coordinates the verification of different supply chain objects for an image as per a given policy. We will show how to use these technologies in a typical CI/CD process including enforcement by policy in Kubernetes clusters. Will the hacker be able to get malicious code deployed to our clusters? Tune in to find out!