Software supply chain attacks are increasing. Securing your Kubernetes supply chain means verifying every component from source code to running container.
The Supply Chain
PLAINTEXT
Source Code → Build → Container Image → Registry → KubernetesEach step is a potential attack vector.
SLSA Framework
Supply-chain Levels for Software Artifacts (SLSA) defines security levels:
- Level 1: Documentation of build process
- Level 2: Tamper resistance of build service
- Level 3: Hardened builds with provenance
- Level 4: Two-person review, hermetic builds
Software Bill of Materials (SBOM)
Generate SBOMs for your images:
BASH
# Using Syft
syft nginx:latest -o spdx-json > nginx-sbom.json
# Using Trivy
trivy image nginx:latest --format spdx-jsonImage Signing with Cosign
BASH
# Generate keys
cosign generate-key-pair
# Sign image
cosign sign --key cosign.key myregistry/myapp:v1.0
# Verify signature
cosign verify --key cosign.pub myregistry/myapp:v1.0Admission Control with Sigstore
Use Kyverno to enforce signatures:
YAML
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-image-signatures
spec:
validationFailureAction: Enforce
rules:
- name: verify-signature
match:
resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "myregistry/*"
attestors:
- entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----Dependency Management
Lock Dependencies
DOCKERFILE
# Pin base image by digest
FROM node:18@sha256:abc123...
# Lock npm dependencies
COPY package-lock.json .
RUN npm ci --only=productionAutomated Updates
Use Dependabot or Renovate to keep dependencies current:
YAML
# renovate.json
{
"extends": ["config:base"],
"kubernetes": {
"fileMatch": ["k8s/.+\\.yaml$"]
}
}Trusted Registries
Only allow images from approved registries using admission controllers.
Supply chain security requires vigilance at every step.