Topic: Secure Container Supply Chain in Kubernetes the Easy Way
➢ Introduction to Software Supply Chain Security
➢ Challenges and concerns from the industries and end users
➢ Notary v2: Sign and verify artifacts the easy way
➢ ORAS: Promote artifact across registries
➢ Ratify: enables Kubernetes clusters to verify artifact security prior to deployment
➢ Secure Supply Chain in CI/CD pipeline
Speaker: Feynman Zhou is a product manager working at Microsoft Azure. He is also a CNCF ambassador and an active contributor of Notary v2 and ORAS. Feynman is focusing on software supply chain security. He is also passionate about cloud-native technology. Feynman is the event organizer of Kubernetes Community Days China.
Thursday, December 8, 2022 11:00 AM – 1:00 PM (UTC)
Agenda
11:00 AM
Secure Container Supply Chain in Kubernetes the Easy Way
Tons of tools are appearing to make software supply chain easier for everyone and provide security best practices for enterprises. Notary v2 is the next generation of the original signing project Notary, aiming to provide signing and verification capabilities with usability and security.
Notation is the CLI tool of Notary v2, which supports creating cryptographic signatures with COSE envelop to container images so that you can make sure that the image someone produced is the same one that you are using, and that it has not been tampered by others.
ORAS is a generic OCI registry client for distributing supply chain artifacts across clouds and on-prem. Ratify enables Kubernetes clusters to verify artifact security metadata prior to deployment and admit for deployment only those that comply with an admission policy that you create.
In this session, Feynman will demonstrate how to secure your container supply chain with Notation, ORAS, Ratify, and SBOM tool, delivering a secure delivery experience in Kubernetes.