KubeCon + CloudNativeCon + Open Source Summit + AI_dev China 2024

Navigating the complexities of supply chain security might seem intimidating, especially with evolving frameworks like SLSA (Supply-chain Levels for Software Artifacts). This talk introduces beginners to the foundational practices required to secure software from build to runtime using CNCF tools. We'll explore how GitHub Actions can automate build processes, integrate with Cosign for keyless artifact signing, and use Kyverno for runtime policy enforcement. Additionally, we'll discuss how tools like in-toto and Kubescape help manage and verify artifact integrity, providing a holistic view of SLSA compliance in the Kubernetes ecosystem. To enhance security further, we will also briefly discuss the potential integration of Hardware Security Modules (HSMs) into the supply chain. HSMs can offer an added layer of security for key management operations critical to signing processes, ensuring that cryptographic keys are managed securely and are resilient against attack.

在KubeCon的一个会话描述： 供应链安全的复杂性可能看起来令人望而却步，尤其是随着像SLSA（软件构件供应链级别）这样不断发展的框架。 本次演讲将向初学者介绍使用CNCF工具来确保软件从构建到运行时的基本实践。 我们将探讨GitHub Actions如何自动化构建流程，与Cosign集成进行无密钥构件签名，以及使用Kyverno进行运行时策略执行。此外，我们还将讨论像in-toto和Kubescape这样的工具如何帮助管理和验证构件完整性，为Kubernetes生态系统中的SLSA合规性提供全面视角。 为了进一步增强安全性，我们还将简要讨论将硬件安全模块（HSMs）集成到供应链中的潜在可能性。HSMs可以为关键管理操作提供额外的安全层，这对签名过程至关重要，确保加密密钥得到安全管理，并且具有抵御攻击的弹性。