This talk will be a live demonstration of using various CNCF projects available currently to improve the security of applications deployed on Kubernetes. The typical flow for teams is to build, push to a container registry, and deploy. During the talk, we will modify each of these steps to become more secure.
First, using Cloud Native Buildpacks to generate Software Bill Of Materials for the app by default. This will allow users to know what exactly is inside the image.
Next, sign the build using cosign to provide attestation and provenance.
Third, use of private registries (ex Harbor) and the ORAS project to store images and other OCI artifacts.
Finally, using Kyverno as a policy engine that will allow only compliant, secure, and verified images to be deployed on the Kubernetes cluster.
The four steps highlighted above will benefit users greatly by making their deployments secure and resilient from supply chain attacks.