Share this page!

Rich Burroughs Profile picture
Twitter logo
May 19 11 tweets 5 min read
I’m excited to see @puerco talking about securing the Kubernetes software supply chain. Yay SIG Release :) #KubeCon
LOL at @puerco’s fake TED talk beginning, I was howling 😂
OMG this is so funny 😂
So @puerco started off with some hysterical examples of software supply chain solutions, based on Star Wars. Now he’s covering how they build and release artifacts for k8s. #KubeCon
They added SBOMs a while ago. Then they started signing images at the staging point of the process. The problem with that is an attacker could compromise things and sign a bad artifact. #KubeCon
Then they promote the artifacts and they verify the image signatures in that process. They sign them again before they are copied to the production registry. So you can see they were built by the release team (1st sig), and released by the Kubernetes project (2nd sig). #KubeCon
Diagram of the release process. #KubeCon
One last step after that picture: they copy things to the production bucket, including the SBOMs and attestations. #KubeCon
Seriously, thank you to @puerco and everyone else on SIG Release who is working to secure the Kubernetes supply chain. As Adolfo mentioned, they have a small team and it’s a lot of work. They would love to have more help too :) #KubeCon
Also I know some of the folks working on this are @chainguard_dev employees and I appreciate the company donating the time to do this important upstream work. Thank you Chainguard :) #KubeCon
Good question about sigstore. @puerco explained that they “keyless” signing is done with ephemeral keys, and the public keys are stored in the transparency log. #KubeCon

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Rich Burroughs

Rich Burroughs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @richburroughs

Rich Burroughs Profile picture
May 20
Last talk of the conference for me is @Divya_Mohan02, @SaiyamPathak, @kunalstwt and @coffeeartgirl talking about how to navigate the CNCF landscape. #KubeCon
Cloud native as a paradigm involved because people wanted vendor agnostic infra, and a more declarative approach to deploying workloads. @Divya_Mohan02 #KubeCon
3 categories of projects in the CNCF: Sandbox, Incubating, and Graduated. Sandbox is early with lots of innovation. Incubating projects are being used in production by more people. Graduated projects are mature and stable. #KubeCon @coffeeartgirl
Read 17 tweets
Rich Burroughs Profile picture
May 20
Next up is @lizrice talking about Cilium :) #KubeCon
Specifically about Cilium’s service mesh :)
Liz started off asking who is tired and a lot of hands went up, including hers 😂 #KubeCon
Read 12 tweets
Rich Burroughs Profile picture
May 20
Watching @breakawaybilly talk about composability next :) #KubeCon
What is compound interest for software? Composability. #KubeCon
With the cloud native ecosystem we can select and assemble from the projects on the landscape. #KubeCon
Read 6 tweets
Rich Burroughs Profile picture
May 20
All the cool kids are at @urlichsanais and @raesene’s talk. #KubeCon
Love you, security nerds ❤️ #KubeCon
Oh I didn’t know that @raesene works on the CIS benchmarks for both Docker and Kubernetes. #KubeCon
Read 13 tweets
Rich Burroughs Profile picture
May 20
During my chat last night with @LukasGentele and @fabiankramm, Lukas mentioned what a risk it was for me to join @loft_sh when I did. At that time it was mainly Lukas and Fabian and our designer (who is really rad).
My instinct at the time had actually been to join a very large company. I’d been at three early stage companies in a row and felt like I needed a break. I had never heard of Loft Labs and knew nothing about the founders.
But when I looked at the product I was very impressed. I’d been hearing people in the Kubernetes community complain about multi-tenancy pain for years. Virtual clusters were such a new approach and very smart I thought. (At that point they were in the commercial product only.)
Read 11 tweets
Rich Burroughs Profile picture
May 19
Next up is @hasheddan and @ImJasonH with Registries After Dark Pt. 2. #KubeCon
Oh Jason couldn’t be here but helped prepare it, hi @ImJasonH if you’re watching :) #KubeCon
We’re starting off with How A Computer Works (I would like to know this). #KubeCon
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(