KubeCon + CloudNativeCon + Open Source Summit + AI_dev China 2024

Ensuring the integrity and authenticity of container images is critical in securing the container supply chain. As developers are increasingly using images from external sources, questions arise: How can we verify these images originate from trusted vendors? How do we guarantee they are not altered since their creation? In this session, you will learn from the real-world experience of VMware Bitnami, who partnered with the Notary Project community to implement image signing and verification. Bitnami will show you how they use Notary Project signatures to ensure the integrity and authenticity of images from Docker Hub. Don't miss this opportunity to gain practical insights into container security with Notary Project within your CI/CD pipelines and during Kubernetes deployments! Additionally, we’ll explore future enhancements, including attestation support, empowering users to verify images from various perspectives such as provenance, vulnerability assessment, and software compliance.

确保容器镜像的完整性和真实性对于保护容器供应链至关重要。随着开发人员越来越多地使用来自外部来源的镜像，一些问题浮出水面：我们如何验证这些镜像来自可信赖的供应商？我们如何确保它们自创建以来没有被篡改？在这场演讲中，您将从VMware Bitnami的实际经验中学习，他们与Notary项目社区合作实施了镜像签名和验证。Bitnami将向您展示他们如何使用Notary项目签名来确保来自Docker Hub的镜像的完整性和真实性。不要错过这个机会，在您的CI/CD流水线和Kubernetes部署中通过Notary项目获得容器安全的实用见解！此外，我们将探讨未来的增强功能，包括证明支持，使用户能够从各种角度验证镜像，如来源、漏洞评估和软件合规性。