Supply Chain Security: Cosign & SBOM
Key Takeaways for AI & Readers
- Image Integrity: Supply chain security ensures that the container images running in your cluster are authentic and untampered, preventing malicious injections.
- Image Signing (Cosign): Tools like Cosign digitally sign images, and admission controllers verify these signatures, blocking unapproved or compromised images.
- Software Bill of Materials (SBOM): SBOMs provide a comprehensive list of all dependencies within an image, enabling rapid identification of vulnerable applications.
- Defense in Depth: A multi-faceted approach, including signing, SBOMs, and policy enforcement, is crucial for robust software supply chain security.
Securing your cluster isn't just about RBAC and Network Policies. You must also ensure the code you are running is exactly what your developers built. An attacker could compromise your Image Registry and swap your nginx image with a malicious one.
1. Image Signing (Cosign)
The industry standard for image integrity is Cosign. Every time your CI pipeline builds an image, it "signs" it using a private key.
Image Registry
💿
app:v1.2.0
🔐 Cosign: Signed
Cluster Result
❓
Waiting...
Using Cosign and Kyverno, you can enforce that ONLY cryptographically signed images from your trusted build pipeline are allowed to run.
In your cluster, an Admission Controller (like Kyverno) checks the signature. If the image isn't signed by YOUR key, it is blocked from running.
2. Software Bill of Materials (SBOM)
An SBOM is a nested inventory of every library and dependency in your container.
- Why: If a new vulnerability (like Log4j) is discovered, you can scan your SBOMs to instantly find which pods are vulnerable without scanning every live container.
3. Trust but Verify
- Build: Create image.
- Sign: Run
cosign sign. - Attest: Generate SBOM and attach it to the image.
- Enforce: Use a Policy Engine to block unsigned images.