Virtualization Technology News and Information
Article
RSS
Kubernetes signals massive adoption of sigstore for protecting open source ecosystem

The Kubernetes and sigstore communities today are announcing that Kubernetes is adopting sigstore in production for signing artifacts and verifying signatures, enabling Kubernetes users for the first time to verify that the distribution they are using is exactly what it claims to be. 

sigstore, introduced just last year, is a free signing service for software developers that improves the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. As Wired put it, it's like the "John Hancock and wax seal of the digital era." It has quickly become the standard for signing, verifying and protecting software for its ability to automate digitally signing and checking software artifacts, enabling software to have a safer chain of custody that can be traced back to the source. 

Kubernetes 1.24, released today, and all future releases will include cryptographically signed sigstore certificates, giving users the ability to verify signatures and have greater confidence in the origin of each and every deployed Kubernetes binary, source code bundle and container image. 

"This is a huge step in protecting the integrity of the Kubernetes ecosystem and demonstrates that code signing at enormous scale is possible and frankly necessary due to the increase in supply chain attacks," said Tracy Miranda, head of open source at Chainguard. "This adoption and integration is the result of many months of work with multiple stakeholders and a testament to the power of open source collaboration." 

"It's great to see adoption of sigstore, especially with a project such as Kubernetes which runs many critical workloads that need the utmost protection," said Luke Hinds, Security Engineering Lead at Red Hat, CTO & Member of the Kubernetes Security Response Team & Founder of the sigstore Project. 

"Kubernetes is a well known and widely adopted open source project and can inspire other open source projects to improve their software supply chain security by following SLSA levels and signing with sigstore," said Bob Callaway, Staff Software Engineer at Google, sigstore TSC member and project founder. "We built sigstore to be easy, free and seamless so that it would be massively adopted and protect us all from supply chain attacks. Kubernetes choice to use Ssigstore is a testament to that work."  

The Kubernetes release team in early 2021 began exploring SLSA compliance to improve Kubernetes software supply chain security. SLSA is a security framework that includes a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure in your projects, businesses or enterprises. sigstore was a key project in achieving SLSA level 2 status and getting a head start towards achieving SLSA level 3 compliance, which the Kubernetes community expects to reach this August. 

Sigstore also delivers a variety of benefits to the Kubernetes community, including: 

  • sigstore's keyless signing gives a great developer experience and removes the need for painful key management.
  • sigstore's public transparency log (Rekor) and APIs mean Kubernetes consumers may easily verify signed artifacts.
  • sigstore's use of standards, such as support for any Open Container Initiative (OCI) artifact (including containers, Helm Charts, configuration files and policy bundles) and OpenID Connect (OIDC), meant it could integrate seamlessly with other tools and services.
  • The very active, open source and vendor neutral sigstore community gives confidence that the project will be rapidly adopted and become a de-facto industry standard. 

"For years now SIG Release has been working to incrementally enhance the robustness of the Kubernetes project's releases. This latest announcement, and the collaboration across open source communities which made it possible, comes in the context of a growing awareness in industry that software supply chains and open source project releases are a critical area in which we must all work to improve. Security is a never ending journey, but each step delivered to decrease attackers' ability to undermine the integrity of our supply chains is an important one" said Tim Pepper, Head of Open Source Technology Center at VMware, Kubernetes Steering Committee and Emeritus SIG Release Lead.

"I'm personally proud of the whole SIG Release team and especially the Release Engineering subproject. We managed to deliver an important milestone as part of our overall Roadmap and Vision to establish a consumable, introspectable, and secure supply chain for Kubernetes. Acting as a role model for supply chain security is one of the most important efforts we're working on right now. In the Kubernetes v1.24 release cycle, we managed to finish more than 50 GitHub Issues and Pull Requests only for the Minimum Valuable Product (MVP) of container image signing, which is a tremendous achievement for the whole team! I'd like to say thank you again on behalf of the SIG Release leadership team and we're looking forward to our bright future of supply chain security," said Sascha Grunert, Kubernetes SIG Release Chair and Senior Software Engineer at RedHat.

In addition to the millions of developers who use Kubernetes directly or indirectly, this benefits all those in a company aiming to be compliant with the recent NIST Secure Software Development Framework (SSDF) requirements. (See sigstore + NIST SSDF)

Published Tuesday, May 03, 2022 1:13 PM by David Marshall
Filed under:
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<May 2022>
SuMoTuWeThFrSa
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234