Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Software Supply Chain Security & Tooling

Bob Killen
August 05, 2022

Introduction to Software Supply Chain Security & Tooling

You’re familiar with containers and Kubernetes, but suddenly people are talking about supply chains, and you’re pretty sure they don’t mean the Suez Canal. Join Jeffrey Sica and Bob Killen for an in-depth look at the nuts, bolts, and metaphorical shipping containers that make up modern container supply chain security. They’ll demo sigstore and show how container signing automation works with Kubernetes. You’ll leave prepared to make decisions that will keep your org unstuck.

Bob Killen

August 05, 2022
Tweet

More Decks by Bob Killen

Other Decks in Technology

Transcript

  1. Supply Chain
    Security Tooling

    View Slide

  2. Welcome!
    Dependencies, Tutorials, Links to Slides:
    https://github.com/jeefy/sigstore-intro-tutorial

    View Slide

  3. $ whoami - Bob
    Bob Killen
    [email protected]
    OSS Program Manager @ Google
    Github: @mrbobbytables
    Twitter: @mrbobbytables
    Site: mrbobbytabl.es

    View Slide

  4. $ whoami - Jeff
    Jeffrey Sica
    [email protected]
    DevEx @ CNCF
    Github: @jeefy
    Twitter: @jeefy
    Site: jeefy.dev

    View Slide

  5. Before We Begin
    https://docs.sigstore.dev/cosign/installation/

    View Slide

  6. Before We Begin Pt. 2
    Docker will be required to follow along with the
    demos.
    Docker is not required to use the tooling shown.
    https://docs.docker.com/engine/install/#desktop

    View Slide

  7. Before We Begin Pt. 3
    KinD (Kubernetes in Docker) and Helm will be
    used for later demos.
    https://kind.sigs.k8s.io/docs/user/quick-start/#installation
    https://helm.sh/docs/intro/install/

    View Slide

  8. Disclaimer
    You should have some knowledge of
    containers and Kubernetes

    View Slide

  9. Containers: Galaxy-scale overview
    ● Package an application with all of its dependencies
    (container image)
    ● Run instances of the packaged application (container)
    ● Think “Virtual Machine” but sharing kernel space and OS
    libraries (cgroups)

    View Slide

  10. Kubernetes: Galaxy-scale overview
    ● “Container Orchestration” – It takes an entire orchestra
    to play a symphony
    ● Manages containers and their dependencies (Storage,
    Networking, third-party resources) in a declarative way
    ● 100% API Driven

    View Slide

  11. So… What Is Supply Chain Security?
    Sourcing Inventory Production
    Planning Transportation

    View Slide

  12. The “Software Supply Chain”
    Code Artifacts Distribution
    Dependencies Execution

    View Slide

  13. Current State?

    View Slide

  14. Current State
    https://www.bike-eu.com/market/nieuws/2022/01/imbalance-in-shipping-container-supply-chain-is-far-from-over-10142078

    View Slide

  15. Current State
    https://www.bike-eu.com/market/nieuws/2022/01/imbalance-in-shipping-container-supply-chain-is-far-from-over-10142078

    View Slide

  16. Current State
    https://www.cnbc.com/2021/03/26/satellite-images-of-ship-ever-given-in-suez-canal-shows-work-underway.html

    View Slide

  17. Current State
    https://www.freightwaves.com/news/insurers-call-for-action-to-prevent-containership-fires

    View Slide

  18. https://sonatype.com/resources/white-paper-2021-state-of-the-software-supply-chain-report-2021

    View Slide

  19. View Slide

  20. Solarwinds Attack
    ● SolarWinds Orion network management tool’s build servers
    compromised
    ● Hack injected a malicious DLL at build time that was signed
    and distributed to clients automatically when they updated
    ● 18,000 SolarWinds customers including many Fortune 500
    Companies, Government Agencies and Tier 1 Network
    Providers were impacted
    Project Trebuchet: How SolarWinds
    is Using Open Source to Secure
    Their Supply Chain in the Wake of
    the Sunburst Hack

    View Slide

  21. Solarwinds Attack
    ● SolarWinds Orion network management tool’s build servers
    compromised
    ● Hack injected a malicious DLL at build time that was signed
    and distributed to clients automatically when they updated
    ● 18,000 SolarWinds customers including many Fortune 500
    Companies, Government Agencies and Tier 1 Network
    Providers were impacted
    Project Trebuchet: How SolarWinds
    is Using Open Source to Secure
    Their Supply Chain in the Wake of
    the Sunburst Hack
    NO source code compromised

    View Slide

  22. https://sonatype.com/resources/white-paper-2021-state-of-the-software-supply-chain-report-2021

    View Slide

  23. US Gov Policy Changes
    Executive Order 14028
    - (Sec. 2) Remove barriers to threat information sharing between
    Government and the Private Sector
    - (Sec. 3) Modernize and implement stronger cybersecurity
    standards in the Federal Government
    - (Sec. 4) Improve Software Supply Chain Security
    - (Sec. 5) Establish a Cybersecurity Safety Review Board
    - (Sec. 6) Create a standard playbook for responding to cyber
    incidents
    - (Sec. 7) Improve Detection of Cybersecurity Incidents on Federal
    Government Networks
    - (Sec. 8) Improve Investigative and Remediation Capabilities

    View Slide

  24. US Gov Policy Changes
    Executive Order 14028
    - (Sec. 2) Remove barriers to threat information sharing
    between the Government and the Private Sector
    - (Sec. 3) Modernize and implement stronger cybersecurity
    standards in the Federal Government
    - (Sec. 4) Improve Software Supply Chain Security
    - (Sec. 5) Establish a Cybersecurity Safety Review Board
    - (Sec. 6) Create a standard playbook for responding to cyber
    incidents
    - (Sec. 7) Improve Detection of Cybersecurity Incidents on Federal
    Government Networks
    - (Sec. 8) Improve Investigative and Remediation Capabilities

    View Slide

  25. US Gov Policy Changes
    Executive Order 14028
    - (Sec. 2) Remove barriers to threat information sharing between the
    Government and the Private Sector
    - (Sec. 3) Modernize and implement stronger cybersecurity
    standards in the Federal Government
    - (Sec. 4) Improve Software Supply Chain Security
    - (Sec. 5) Establish a Cybersecurity Safety Review Board
    - (Sec. 6) Create a standard playbook for responding to cyber
    incidents
    - (Sec. 7) Improve Detection of Cybersecurity Incidents on Federal
    Government Networks
    - (Sec. 8) Improve Investigative and Remediation Capabilities

    View Slide

  26. US Gov Policy Changes
    Executive Order 14028
    - (Sec. 2) Remove barriers to threat information sharing between the
    Government and the Private Sector
    - (Sec. 3) Modernize and implement stronger cybersecurity
    standards in the Federal Government
    - (Sec. 4) Improve Software Supply Chain Security
    - (Sec. 5) Establish a Cybersecurity Safety Review Board
    - (Sec. 6) Create a standard playbook for responding to cyber
    incidents
    - (Sec. 7) Improve Detection of Cybersecurity Incidents on Federal
    Government Networks
    - (Sec. 8) Improve Investigative and Remediation Capabilities
    Work on OSS? Want a security key?
    Find me after and get a free Titan key.

    View Slide

  27. US Gov Policy Changes
    Executive Order 14028
    - (Sec. 2) Remove barriers to threat information sharing between the
    Government and the Private Sector
    - (Sec. 3) Modernize and implement stronger cybersecurity
    standards in the Federal Government
    - (Sec. 4) Improve Software Supply Chain Security
    - (Sec. 5) Establish a Cybersecurity Safety Review Board
    - (Sec. 6) Create a standard playbook for responding to cyber
    incidents
    - (Sec. 7) Improve Detection of Cybersecurity Incidents on Federal
    Government Networks
    - (Sec. 8) Improve Investigative and Remediation Capabilities

    View Slide

  28. US Gov Policy Changes
    Executive Order 14028
    - (Sec. 2) Remove barriers to threat information sharing between
    Government and the Private Sector
    - (Sec. 3) Modernize and implement stronger cybersecurity
    standards in the Federal Government
    - (Sec. 4) Improve Software Supply Chain Security
    - (Sec. 5) Establish a Cybersecurity Safety Review Board
    - (Sec. 6) Create a standard playbook for responding to cyber
    incidents
    - (Sec. 7) Improve Detection of Cybersecurity Incidents on Federal
    Government Networks
    - (Sec. 8) Improve Investigative and Remediation Capabilities

    View Slide

  29. US Gov Policy Changes
    Executive Order 14028
    - (Sec. 2) Remove barriers to threat information sharing between
    Government and the Private Sector
    - (Sec. 3) Modernize and implement stronger cybersecurity
    standards in the Federal Government
    - (Sec. 4) Improve Software Supply Chain Security
    - (Sec. 5) Establish a Cybersecurity Safety Review Board
    - (Sec. 6) Create a standard playbook for responding to
    cyber incidents
    - (Sec. 7) Improve Detection of Cybersecurity Incidents on Federal
    Government Networks
    - (Sec. 8) Improve Investigative and Remediation Capabilities

    View Slide

  30. US Gov Policy Changes
    Executive Order 14028
    - (Sec. 2) Remove barriers to threat information sharing between
    Government and the Private Sector
    - (Sec. 3) Modernize and implement stronger cybersecurity
    standards in the Federal Government
    - (Sec. 4) Improve Software Supply Chain Security
    - (Sec. 5) Establish a Cybersecurity Safety Review Board
    - (Sec. 6) Create a standard playbook for responding to cyber
    incidents
    - (Sec. 7) Improve Detection of Cybersecurity Incidents on
    Federal Government Networks
    - (Sec. 8) Improve Investigative and Remediation Capabilities

    View Slide

  31. US Gov Policy Changes
    Executive Order 14028
    - (Sec. 2) Remove barriers to threat information sharing between
    Government and the Private Sector
    - (Sec. 3) Modernize and implement stronger cybersecurity
    standards in the Federal Government
    - (Sec. 4) Improve Software Supply Chain Security
    - (Sec. 5) Establish a Cybersecurity Safety Review Board
    - (Sec. 6) Create a standard playbook for responding to cyber
    incidents
    - (Sec. 7) Improve Detection of Cybersecurity Incidents on Federal
    Government Networks
    - (Sec. 8) Improve Investigative and Remediation
    Capabilities

    View Slide

  32. The Problem In A Nutshell

    View Slide

  33. Supply Chain Attacks are on the rise and
    the Software Development Lifecycle has
    become a popular vector for attacks.

    View Slide

  34. How can we trust the software we
    choose to run?

    View Slide

  35. View Slide

  36. A Reasonable Solution

    View Slide

  37. SLSA

    View Slide

  38. Supply chain
    Levels for
    Software
    Artifacts 💃
    slsa.dev

    View Slide

  39. Source Integrity Build Integrity
    Source Build Package
    Dev
    Dependencies
    Users
    Software Supply Chain
    Artifact
    Process

    View Slide

  40. Source Integrity Build Integrity
    Source Build Package
    Dev
    Inject bad
    code (A)
    Compromise
    source control (B)
    Build from modified
    sources (C)
    Dependencies
    Compromise
    build system (D)
    Bypass CI/CD, inject
    bad artifact (F)
    Compromise
    package repository (G)
    Use bad package (H)
    Users
    Software Supply Chain:
    Vulnerability Points
    Artifact
    Process
    Inject bad or
    vulnerable
    dependency (E)

    View Slide

  41. Source Integrity Build Integrity
    Source Build Package
    Dev
    Inject bad
    code (A)
    Compromise
    source control (B)
    Build from modified
    sources (C)
    Dependencies
    Compromise
    build system (D)
    Bypass CI/CD, inject
    bad artifact (F)
    Compromise
    package repository (G)
    Use bad package (H)
    Users
    Software Supply Chain:
    Trust Boundaries
    Artifact
    Process
    Inject bad or
    vulnerable
    dependency (E)

    View Slide

  42. SLSA Levels
    Automation & Provenance
    Build must be fully scripted/automated
    and generate provenance
    Version Control & Signed
    Provenance
    Requires using version control and hosted
    build service that generates authenticated
    provenance
    Non-falsifiable, Ephemeral
    Builds are fully trustworthy, with identity
    attestations of underlying build
    infrastructure/hardware. Ephemeral
    builds leave nothing behind.
    Hermetic Builds, Review
    All build inputs/dependencies are specified
    upfront with no internet egress during the build.
    Two-party reviews.
    https://slsa.dev/spec/v0.1/requirements

    View Slide

  43. Build Provenance
    Set of metadata that describes a software
    artifact and how it was built.
    SLSA spec fields*
    - subject - artifact(s) information (name+digest)
    - builder - the entity that produced the artifact(s)
    - invocation - execution command / information
    - buildConfig - record of steps executed during build
    - materials - other artifacts/dependencies used
    during build

    View Slide

  44. {
    "_type": "https://in-toto.io/Statement/v0.1",
    "subject": [{ ... }],
    "predicateType": "https://slsa.dev/provenance/v0.2",
    "predicate": {
    "builder": {
    "id": ""
    },
    "buildType": "",
    "invocation": {
    "configSource": {
    "uri": "",
    "digest": { /* DigestSet */ },
    "entryPoint": ""
    },
    "parameters": { /* object */ },
    "environment": { /* object */ }
    },


    "buildConfig": { /* object */ },
    "metadata": {
    "buildInvocationId": "",
    "buildStartedOn": "",
    "buildFinishedOn": "",
    "completeness": {
    "parameters": true/false,
    "environment": true/false,
    "materials": true/false
    },
    "reproducible": true/false
    },
    "materials": [
    {
    "uri": "",
    "digest": { /* DigestSet */ }
    }
    ]
    }}

    View Slide

  45. {
    "_type": "https://in-toto.io/Statement/v0.1",
    "subject": [{ ... }],
    "predicateType": "https://slsa.dev/provenance/v0.2",
    "predicate": {
    "builder": {
    "id": ""
    },
    "buildType": "",
    "invocation": {
    "configSource": {
    "uri": "",
    "digest": { /* DigestSet */ },
    "entryPoint": ""
    },
    "parameters": { /* object */ },
    "environment": { /* object */ }
    },


    "buildConfig": { /* object */ },
    "metadata": {
    "buildInvocationId": "",
    "buildStartedOn": "",
    "buildFinishedOn": "",
    "completeness": {
    "parameters": true/false,
    "environment": true/false,
    "materials": true/false
    },
    "reproducible": true/false
    },
    "materials": [
    {
    "uri": "",
    "digest": { /* DigestSet */ }
    }
    ]
    }}

    View Slide

  46. {
    "_type": "https://in-toto.io/Statement/v0.1",
    "subject": [{ ... }],
    "predicateType": "https://slsa.dev/provenance/v0.2",
    "predicate": {
    "builder": {
    "id": ""
    },
    "buildType": "",
    "invocation": {
    "configSource": {
    "uri": "",
    "digest": { /* DigestSet */ },
    "entryPoint": ""
    },
    "parameters": { /* object */ },
    "environment": { /* object */ }
    },


    "buildConfig": { /* object */ },
    "metadata": {
    "buildInvocationId": "",
    "buildStartedOn": "",
    "buildFinishedOn": "",
    "completeness": {
    "parameters": true/false,
    "environment": true/false,
    "materials": true/false
    },
    "reproducible": true/false
    },
    "materials": [
    {
    "uri": "",
    "digest": { /* DigestSet */ }
    }
    ]
    }}
    builder - Entity that produced the artifact
    Examples:
    "builder": { "id": "mailto:[email protected]" }
    "builder": {
    "id": "https://github.com/Attestations/GitHubHostedActions@v1"
    }
    "builder": {
    "id": "https://gitlab.com/foo/bar/-/runners/12345678"
    }

    View Slide

  47. {
    "_type": "https://in-toto.io/Statement/v0.1",
    "subject": [{ ... }],
    "predicateType": "https://slsa.dev/provenance/v0.2",
    "predicate": {
    "builder": {
    "id": ""
    },
    "buildType": "",
    "invocation": {
    "configSource": {
    "uri": "",
    "digest": { /* DigestSet */ },
    "entryPoint": ""
    },
    "parameters": { /* object */ },
    "environment": { /* object */ }
    },


    "buildConfig": { /* object */ },
    "metadata": {
    "buildInvocationId": "",
    "buildStartedOn": "",
    "buildFinishedOn": "",
    "completeness": {
    "parameters": true/false,
    "environment": true/false,
    "materials": true/false
    },
    "reproducible": true/false
    },
    "materials": [
    {
    "uri": "",
    "digest": { /* DigestSet */ }
    }
    ]
    }}
    invocation - Execution command / information
    Example:
    "invocation": {
    "configSource": {
    "uri": "git+https://github.com/foo/bar.git,
    "digest": { "sha1": "1234..."}, //git commit hash
    "entryPoint": "build.yaml:build"
    },
    "parameters": {"inputs": {}},
    "environment": {
    “arch”: “amd64”,
    "env": {
    "GITHUB_RUN_ID": "1234",
    "GITHUB_RUN_NUMBER": "5678",
    "GITHUB_EVENT_NAME": "push"
    }
    }
    }

    View Slide

  48. {
    "_type": "https://in-toto.io/Statement/v0.1",
    "subject": [{ ... }],
    "predicateType": "https://slsa.dev/provenance/v0.2",
    "predicate": {
    "builder": {
    "id": ""
    },
    "buildType": "",
    "invocation": {
    "configSource": {
    "uri": "",
    "digest": { /* DigestSet */ },
    "entryPoint": ""
    },
    "parameters": { /* object */ },
    "environment": { /* object */ }
    },


    "buildConfig": { /* object */ },
    "metadata": {
    "buildInvocationId": "",
    "buildStartedOn": "",
    "buildFinishedOn": "",
    "completeness": {
    "parameters": true/false,
    "environment": true/false,
    "materials": true/false
    },
    "reproducible": true/false
    },
    "materials": [
    {
    "uri": "",
    "digest": { /* DigestSet */ }
    }
    ]
    }}
    materials - other artifacts/dependencies
    used during build
    Example:
    "materials": [{
    "uri": "https://example.com/example-1.2.3.tar.gz",
    "digest": {"sha256": "1234..."}
    }]
    "materials": [{
    "uri": "git+https://github.com/foo/bar.git",
    "digest": {"sha1": "abc..."}
    }]

    View Slide

  49. {
    "_type": "https://in-toto.io/Statement/v0.1",
    "subject": [{ ... }],
    "predicateType": "https://slsa.dev/provenance/v0.2",
    "predicate": {
    "builder": {
    "id": ""
    },
    "buildType": "",
    "invocation": {
    "configSource": {
    "uri": "",
    "digest": { /* DigestSet */ },
    "entryPoint": ""
    },
    "parameters": { /* object */ },
    "environment": { /* object */ }
    },


    "buildConfig": { /* object */ },
    "metadata": {
    "buildInvocationId": "",
    "buildStartedOn": "",
    "buildFinishedOn": "",
    "completeness": {
    "parameters": true/false,
    "environment": true/false,
    "materials": true/false
    },
    "reproducible": true/false
    },
    "materials": [
    {
    "uri": "",
    "digest": { /* DigestSet */ }
    }
    ]
    }}
    buildConfig - record of steps executed
    during build
    Example:
    "buildConfig": {
    "steps": [
    {
    "image": "pkg:docker/make@sha256:244fd47e07d1004f0aed9c",
    "arguments": ["build"]
    }
    ]
    }
    "buildConfig": {
    "commands": [
    "./configure --enable-some-feature",
    "make foo.zip"
    ],
    "shell": "bash"
    }

    View Slide

  50. {
    "_type": "https://in-toto.io/Statement/v0.1",
    "subject": [{ ... }],
    "predicateType": "https://slsa.dev/provenance/v0.2",
    "predicate": {
    "builder": {
    "id": ""
    },
    "buildType": "",
    "invocation": {
    "configSource": {
    "uri": "",
    "digest": { /* DigestSet */ },
    "entryPoint": ""
    },
    "parameters": { /* object */ },
    "environment": { /* object */ }
    },


    "buildConfig": { /* object */ },
    "metadata": {
    "buildInvocationId": "",
    "buildStartedOn": "",
    "buildFinishedOn": "",
    "completeness": {
    "parameters": true/false,
    "environment": true/false,
    "materials": true/false
    },
    "reproducible": true/false
    },
    "materials": [
    {
    "uri": "",
    "digest": { /* DigestSet */ }
    }
    ]
    }}
    subject - Artifact(s) information (name+digest)
    Examples:
    "subject": [{"name": "_", "digest": {"sha256": "5678..."}}]
    "subject": [ {
    "name": "herpderp.exe",
    "digest": {"sha256": "1234..."}
    }]

    View Slide

  51. Software Attestation
    A software attestation is a signed set metadata
    (provenance) about one or more software artifacts.
    {
    "payload": "Gew9gICJzdWJqZWN0IjogWwogICAg...",
    "payloadType": "application/vnd.in-toto+json",
    "signatures": [{
    "keyid": "my-awesome-builder-key", //optional
    "sig": "Re4ya66MyFyc9Y..."
    }]
    }

    View Slide

  52. {
    "payload": "Gew9gICJzdWJqZWN0IjogWwogICAg...",
    "payloadType": "application/vnd.in-toto+json",
    "signatures": [{
    "keyid": "my-awesome-builder",
    "sig": "Re4ya66MyFyc9Y..."
    }]
    }
    {
    "_type": "https://in-toto.io/Statement/v0.1",
    "subject": [{
    "name": "_",
    "digest": {"sha256": "5678..."}
    }],
    "predicateType": "https://slsa.dev/provenance/v0.2",
    "predicate": {
    "builder": {
    "id": "https://github.com/Attestations/GitHubHostedActions@v1"
    },
    "buildType": "",
    "invocation": {
    "configSource": {
    "uri": "",
    "digest": { /* DigestSet */ },
    "entryPoint": ""
    }

    View Slide

  53. {
    "payload": "Gew9gICJzdWJqZWN0IjogWwogICAg...",
    "payloadType": "application/vnd.in-toto+json",
    "signatures": [{
    "keyid": "my-awesome-builder",
    "sig": "Re4ya66MyFyc9Y..."
    }]
    }
    {
    "_type": "https://in-toto.io/Statement/v0.1",
    "subject": [{
    "name": "_",
    "digest": {"sha256": "5678..."}
    }],
    "predicateType": "https://slsa.dev/provenance/v0.2",
    "predicate": {
    "builder": {
    "id": "https://github.com/Attestations/GitHubHostedActions@v1"
    },
    "buildType": "",
    "invocation": {
    "configSource": {
    "uri": "",
    "digest": { /* DigestSet */ },
    "entryPoint": ""
    }

    Thanks SLSA!

    View Slide

  54. Is There A Reasonable Technical
    Solution?

    View Slide

  55. sigstore
    https://sigstore.dev

    View Slide

  56. Community Driven

    View Slide

  57. Community Driven

    View Slide

  58. Let’s Encrypt?
    Let’s Sign.

    View Slide

  59. View Slide

  60. An Overview Of sigstore
    ● fulcio
    ● rekor
    ● cosign

    View Slide

  61. An Overview Of sigstore
    ● fulcio
    ○ Identity
    ● rekor
    ○ Immutable log with artifact metadata
    ● cosign
    ○ Utility to automate combining fulcio, rekor, and
    OCI-compliant artifacts
    ○ Utilizes underlying sigstore libraries

    View Slide

  62. fulcio
    Free Root-CA for code signing certs - issuing certificates based on an
    OIDC email address
    fulcio only signs short-lived certificates that are valid for under 20
    minutes
    https://docs.sigstore.dev/fulcio/overview
    https://github.com/sigstore/fulcio

    View Slide

  63. fulcio
    Free Root-CA for code signing certs - issuing certificates based on an
    OIDC email address.
    fulcio only signs short-lived certificates that are valid for under 20
    minutes.
    https://twitter.com/jacques_chester/status/1506332697387491335

    View Slide

  64. rekor
    Greek for “Record”
    rekor is a transparency log where anyone can find and verify signatures,
    and check whether someone’s changed the source code, the build
    platform or the artifact repository.
    https://docs.sigstore.dev/rekor/overview
    https://github.com/sigstore/rekor

    View Slide

  65. cosign
    cosign: Container Signing, verification and storage in an OCI registry
    “Make signatures invisible infrastructure”
    Pluggable components
    https://docs.sigstore.dev/cosign/overview
    https://github.com/sigstore/cosign

    View Slide

  66. How it works!
    https://www.sigstore.dev/how-it-works

    View Slide

  67. The. Demo.

    View Slide

  68. Demo Recap
    ● Built a container
    ● Auth’d using cosign
    ● Signed a container using cosign
    ● Inspected the container’s signature using
    cosign

    View Slide

  69. Cool I have a signed container.
    Now what?

    View Slide

  70. Kubernetes Admission Webhooks
    Lightweight extensible way to “do something”
    with API Server requests
    Two kinds:
    - Validating Admission Webhook
    - Mutating Admission Webhook

    View Slide

  71. Kubernetes Admission Webhooks
    Lightweight extensible way to “do something”
    with API Server requests
    Two kinds:
    - Validating Admission Webhook
    - Mutating Admission Webhook

    View Slide

  72. Kubernetes Admission Webhooks

    webhooks:
    - name: "pod-policy.example.com"
    rules:
    - apiGroups: [""]
    apiVersions: ["v1"]
    operations: ["CREATE"]
    resources: ["pods"]
    scope: "Namespaced"

    View Slide

  73. Kubernetes Admission Webhooks
    Lightweight extensible way to “do something”
    with API Server requests
    Two kinds:
    - Validating Admission Webhook
    - Mutating Admission Webhook

    View Slide

  74. sigstore Policy Controller

    apiVersion: policy.sigstore.dev/v1beta1
    kind: ClusterImagePolicy
    metadata:
    name: image-policy
    spec:
    images:
    - glob: "**"

    View Slide

  75. sigstore Policy Controller

    apiVersion: policy.sigstore.dev/v1beta1
    kind: ClusterImagePolicy
    metadata:
    name: image-policy
    spec:
    images:
    - glob: "**"
    Beta

    View Slide

  76. Kubernetes native policy engine
    Entirely CRD-based
    https://kyverno.io

    View Slide

  77. Demo: Part Deux

    View Slide

  78. Demo Recap
    ● Installed Kyverno
    ● Attempted to create a Pod with an unsigned
    container image
    ● Successfully created a Pod with a signed
    container image Task Failed
    Successfully!

    View Slide

  79. Demo Recap
    ● Installed the Kyverno
    ● Attempted to create a Pod with an unsigned
    container image
    ● Successfully created a Pod with a signed
    container image Task Failed
    Successfully!

    View Slide

  80. kyverno is
    https://kyverno.io
    powerful
    configurable
    complicated

    View Slide

  81. Let’s Talk Automation

    View Slide

  82. https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/

    View Slide

  83. https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/

    View Slide

  84. GitHub Action
    jobs:
    test_cosign_action:
    runs-on: ubuntu-latest
    permissions: {}
    name: Install Cosign and test presence in path
    steps:
    - name: Install Cosign
    uses: sigstore/cosign-installer@main
    - name: Check install!
    run: cosign version
    https://github.com/sigstore/cosign-installer

    View Slide

  85. GitHub Action

    - name: Sign image with a key
    run: |
    cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
    env:
    TAGS: ${{ steps.docker_meta.outputs.tags }}
    COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
    COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
    https://github.com/sigstore/cosign-installer

    View Slide

  86. Batteries included support for cosign
    Create a secret called signing-secrets with
    the following structure:
    ● cosign.key
    ● cosign.password
    cosign generate-key-pair k8s://tekton-chains/signing-secrets
    Tekton (Chains)

    View Slide

  87. “Demo”: The Third

    View Slide

  88. Demo Recap
    ● Set up GitHub Action
    ● Use cosign to sign the image
    ● Use SLSA tooling to generate attestation
    ● User cosign to attach attestation in rekor
    ● Inspected and verified the image and SLSA
    payload

    View Slide

  89. sigstore: Not Just Containers

    View Slide

  90. Rust Crate Signing

    View Slide

  91. PyPi Signing
    https://pypi.org/project/sigstore/

    View Slide

  92. sigstore: Not Just Artifacts

    View Slide

  93. gitsign
    Keyless Git signing with Sigstore!
    Homebrew:
    brew install sigstore/tap/gitsign
    Go:
    go install github.com/sigstore/gitsign@latest

    View Slide

  94. gitsign
    # Sign all commits
    git config --global commit.gpgsign true
    # Sign all tags
    git config --global tag.gpgsign true
    # Use gitsign for signing
    git config --global gpg.x509.program gitsign
    # gitsign expects x509 args
    git config --global gpg.format x509
    https://github.com/sigstore/gitsign

    View Slide

  95. Demo #4

    View Slide

  96. Demo Recap
    ● Signed a git commit with gitsign
    ● Inspected the rekor log of the commit

    View Slide

  97. Tutorial Recap
    ● Supply chain security is an increasing
    concern when building, shipping, and running
    code.
    ● The SLSA framework can be used to enable
    or improve trust in the software that we build
    and run.

    View Slide

  98. Tutorial Recap
    ● sigstore looks to solve supply chain security
    with an end to end solution based on linking
    Identity and TLS certificates
    ● Automating SLSA provenance generation
    and artifact signing lowers the mental load
    on developers shipping software

    View Slide

  99. Tutorial Recap
    ● Starts with Containers / OCI-compliant
    artifacts
    ● Already moving further down the stack to
    packages

    View Slide

  100. Secure Distribution
    By Default

    View Slide

  101. Thanks + Q&A
    A @mrbobbytables + @jeefy Production

    View Slide

  102. Graveyard

    View Slide

  103. View Slide

  104. SLSA Framework
    Build Integrity
    ● Modification of code after source control
    ● Compromised build platforms
    ● Bypassing CI/CD
    Source Integrity
    ● Available change history
    ● Code review
    ● Compromised source control systems
    Dependencies
    ● Applying SLSA checks recursively to dependencies
    ● Dependency confusion

    View Slide