Open Source Summit Europe 2022

For the past two years, the Kubernetes Release Engineering Team (a subproject of SIG Release) has been hard at work hardening the Kubernetes supply chain, aiming to make it SLSA Level 3 compliant by the time Kubernetes 1.25 is released. The road to level 3 has produced a complete suite of open source projects that constitute the fundamental building blocks of a secure supply chain. And now, other projects and companies can leverage the Kubernetes release toolset to secure their chains! Guided by the CNCF Security TAG Best Practices whitepaper, the Release Engineering team built a set of tools that allow anyone to: - Building and publishing SBOMs (Software Bill of Materials) - Securely releasing staged images and artifacts - Signing and verifying container images and binaries leveraging Sigstore's transparency log, CA, and public infrastructure - Generating SLSA attestations of each step in a release pipeline All release tooling was designed from the get-go to be completely general-purpose and the talk will feature how other projects beyond K8s itself are using them in their releases. To finish the talk, Adolfo will demo a reference implementation of a SLSA-compliant pipeline using the K8s Release Engineering tools which any project can use to build its release process.