Kubernetes Supply Chain Security - Building a Secure Software Factory

Explore the critical topic of Kubernetes supply chain security in this 36-minute conference talk by Andrew Martin from Control Plane. Dive into the concept of a Software Factory approach for defending against supply chain risks, based on work from the US Air Force and DoD. Learn about the original supply chain attack described by Ken Thompson 35 years ago and how it relates to modern threats like the SUNBURST attacks. Discover how cloud native technologies can address these challenges through a showcase of building a Kubernetes Software Factory with Tekton. Gain insights into signing and verification approaches using tools such as in-toto, TUF, SPIFFE, SPIRE, and sigstore. Examine lessons learned from recent attacks and explore future cloud native solutions for hardening Kubernetes, builds, and infrastructure. Understand the complexities of the producer-consumer problem in supply chain relationships across various levels of industry and technology.

Intro
About Control Plane
Agenda
Supply Chain Security
What is a Supply Chain
Software Supply Chain
Post Bare Metal
Software Factory
Supply Chain
Attack
Danger Zone
Supply chain compromises
How do we attack
Salsa
Reverse Shell
Trivia Scan
Signing
Container Images
Chain Guards
Reference Architecture
Entoto