►
From YouTube: Secure Supply Chain in Kubernetes
Description
KCD Brasil 2022 - Nessa palestra vamos falar sobre os principais conceitos e ferramentas utilizados para implementar o conceito de Secure Software Supply Chain, que trata basicamente de como criar pipelines seguros e aplicações confiáveis para Kubernetes. Iremos demonstrar que com ferramentas opensource é possível assinar implementar verificações de aplicações em Kubernetes utilizando-se OPA (Open Policy Agent) e Cosign.
A
B
A
A
Ten
more
years
there
for
the
horta
movements,
I
worked
a
long
time
for
integration.
Luck
is
working
with
preaching
platforms.
When
service-oriented
architecture
appeared,
Nelson
famous
sound
I
worked
on
for
years
with
Java
Java-
based
software
architecture.
I
also
worked
today:
I
work,
Hi
Larissa,
I'm,
a
block
specialist
at
Winter
do,
I,
really
like
a
very
dynamic,,
very
interesting
company
to
work
for.,
I
'm.
Also
the
father
of
two
children.
A
A
That
is
the
s
good,
that
it
is
something
interesting
for
us
to
understand
and
a
tool
called
there
is
the
signature
of
images
is
that
it
is
perhaps
the
flagship-
and
we
are
going
to
talk
about
the
co-sign
like
this
tool,
that
the
scene
images,
it's
implementation
of
policies
and,
at
the
very
end,
we're
going
to
talk
a
little
bit.
Let's
see
here,
I
hope
everything
goes
well
too,.
The
practical
part
is
gone
that
we're
going
to
talk.
A
A
Of
what
has
been
happening
there
in
the
corporate
environment
today
is
not
only.
We
have
a
hacker
case
here
at
the
site
trying
to
access
a
platform
we
have
problems
of
Rthat
already
exist
today.
Hacker
platform
resist
the
truth
very
well,
synchronized
hacker
work
to
capture
data,
it
also
kidnaps
data
from
companies
And
with
that
make
money
about
it,
right
doing
it
that
way,
I
kidnap,
right,
Okay,,
so
with
systematic
damage,,
you
get
Cyber
crime
in.
A
By
2025,
it's
bordering
on
10.5
trillion,,
that's
it,!
We
have
a
source
that
knows
that
that
debentures
predicted
this,.
We
believe
that
this
number
is
even
a
little
higher
than
that,
right,.
That's
a
little,,
that's
a
forecast,,
but
we
believe
that
it
could
be
even
higher,
and
this
is
an
extreme
motivator,
right,,
so
that
we
can
create
mechanisms
and
tools
so
that
the
soft
chain
is
safe.
That
is,
is
made
in
such
a
way
that
we
have
increasingly
friendly
mechanisms
so
that
our
convenient
head
is
safe.
Ok,
that's
good!
A
When
we
talk
about
supply
chain,
we
have
one
there
chain
right,
In,
other
words,,
it's
a
development
chain,,
it's
not
just
one
where
the
Lines
part
involves
some
steps,
right,.
These
Steps
are
what
they
are
today,.
We
have
a
developer
who
develops
code,
but
somehow
this
developer
generates
code.
This
code
go
up
there
to
a
bit
1
Hit
right
for
a
tool
where
it
stores
this
can
it
can
then
bild
this
code
whether
it
is
going
to
compile
this
code
right,
it
will
generate.
A
Packages
of
this
code
in
this
Green
will
also
be
involved
that
guys,
remember
Java
right
there.
For
example,
it's
good
to
have
several
dependencies
and
we
build
just
having
them
on
top
of
the
others,.
So
look
at
the
criollos
several
dependencies
that
make
my
luck
if
generated
there
and
at
the
end
of
that
I'll
generate
then
a
package
of
the
future
I'm
not
going
to
make
a
package
of
all
this
and
I'm
going
to
end
up
with
someone
going
to
consume
this
within
the
lens
enough.
We're
putting
it.
A
A
?
today
we
are
in
a
package
there
just
be
inside
images,
Not
a
consumer
right
So,
be
it
I'm
going
to
generate
signed
images.
This
idea
I'm
going
to
have
a
consumer
there
that
I'm
going
to
have
a
validation
policy.
That's
why
you
the
same
inside
Ernesto
I'm
just
going
to
upload
he
packages
that
is
in
this
case
here.
Images
I'm
going
to
upload
resources
that
are
validated
are
signed
right.
And
also
I
can
sign
these
dependencies
in
the
dependencies
through
the
se
good
right.
So
we're
going
to
talk
a
little
bit
about
these.
A
But
I
have
a
code
that
was
poorly
written,
right,,
which
offers
beautiful,
skills,
right?
Only.
If
we
take
this
point
here,
for
example,,
it
would
be
a
point
where
either
a
hacker
or
maybe
even
the
brand
building
of
my
luck,,
it
indicates
a
problem,
right?
have
to
get
out
of
here
from
my
source
of
dust.
The
email
can
It
can
be
replaced
in
some
way
so
time
at
various
points,
and
we
then
within
our
example.
Here
we
will
work
with
this
one
with
this.
B
A
Watching
here,
if
it
comes
back,
the
cost
is
ok,
so
it's
good.
Well,
so,
what's
going
to
be
good,,
doesn't
it
looks
good
so
just
serve
of
materials
of
what
it
is?
What
it's
made
of
my
partner
Actually,
what
it
just
happens
to
be
information,!
It's
meta
data
about
my
dependencies,
That
is,
when
we
are
going
to
build
a
software
and
I
saw
this
example
I
liked
it
a
lot
and
if
we
get
any
dependency,,
we
put
it
inside
the
software,.
A
A
So
the
s
good,
it
is
a
way
for
us
to
know
about
it.
Information
about
this
whole
package,
this
whole
chain
is
It,
should
provide
meta
data
about
my
prize,
my
prize
another
one
of
my
packages
are
being
attached
to
mine,
it's
just
my
dependencies,
so
we
need
it.
People
need
it
to
be
mine.
My
package
increasingly
transparent.
It's
a
secure
development
process
right,
so
I
ca.
N't
have
a
me
in
my
in
my
in
my
chain
in
my
production
chain.
I
have
to
manage
this
disk.
A
A
Build
an
image
before
inside
this
image.
The
script
is
good.
That
gives
me
information
and
through
this
information
in
the
data
I
can
analyze
and
check
if
it
ends,
if
it
ends.
If
that
dependency
is
consistent,
man
with
my
partner
is
so
here
is
an
example
of
spdx
the
document
contains.
But
what
is
it?
If
good?
Will
it
contain
It's?
The
document
document,
the
Eixão
information
pack,
takes
the
information
you
information,
the
Snap
deformation,
right.
A
?
an
example
is
not
a
good
one,
so
here
there
will
be
a
partner
here.
There
will
be
the
metadata
information.
Then
you
will
have
there
Elite
fai
discription
right,
a
programming
language
So,
whether
you
know
what
information
about
that
dependency
of
yours,
Ok
then
well,.
There
is
a
tool
called
City
that.
B
A
A
B
A
A
That
I
talked
about
there's
a
pen
drive
going
up
in
the
environment,
I
get
an
image
any
up
in
the
environment.
Internet
you
extremely
I
I'm,
adding
encumbrance
I'm,
getting
to
jail
right,
It's,
extremely
fragile,
so
I
need
one.
One
of
the
ways
to
establish
trust
is
to
generate
these
signatures,.
You
know
where
they
come
from,
that
is,,
if
I,
establish
a
signature,
I
know
who
is
there?
A
A
B
A
A
Processes
work
safely,,
especially
with
people,
this
tool,,
so
the
co-sign,
its
main
objective
is
that
it
provides
a
seal
and
is
easy
and
intuitive,,
and
especially
its
basic
security
principles
for
people
to
be
able
to
sign
artifacts,.
So
when
we,
it
even
talks
about
facts
related
to
the
supply
chain
and
Robson
already
explained
this.
We
are
talking
about
images,
but
they
are
talking
about
this.
One
is
good.
They
are
only
talking
about
vulnerability.
Scanning
and
co-sign.
A
Today
is
a
tool
that
is
gaining
a
lot
of
importance,
especially
after
the
we've
seen
all
these
Attacks
related
to
ransomware
and
other
famous
ones,,
you
know,.
It's
gaining
a
lot
of
relevance
in
the
open
source
world
and
even
in
companies
as
an
alternative
for
us
to
be
able
to
bring
some
of
this
verifiability
goes
to
image.
Containers
from
here
in
general
can
go
to
right
ahead
and
the
signing
process
is
not
very
different
from
what
we
already
know,
right.
A
You
have
the
public
key,,
anyone
can
access
it
and
when
you
want
to
sign
any
type
of
artifact,
you
will
use
the
combination
of
public
and
private
keys,
right,
so
that
you
can
sign
with
the
private
key
and
transmit
the
public
key,
and
then
the
person
can
use
the
public
key
to
validate
the
signature,
because
it
was
you
or
not
in
the
next
good,
and
when
we
are
talking
about
signature,
it
is
not
just
a
question
of
images,.
It
is
very
important.
We
have
in
mind
that
from
now
on,
the
supply
chain
is
end-to-end
secure.
A
It
will
be
more
and
more
demanded,
so
we
have
to
have
tools
that
support
people
sign.
The
image
is:
Rotar
is
devouring
vulnerabilities
sign
this
Scan,
the
test
results
the
good
s
and
other
artifacts
that
any
company
is
relevant
to
ensure
that
it
is
the
reliability
of
that
software
product
that
is
being
supplied
installed
in
its
cover
next
in
the
next
This.
Is
we
created
a
repository
mayor
of
idea
and
you
can
later
access
it?
Go
there
in
this
apostle?
A
Is
we
in
a
very
simple
way,
try
to
demonstrate
how
it's
just
that
the
generation
goes
down?
Well,
it's
via
diabetes
right?
Actually,
how
was
it
already
this
good
How?
Do
you
sign
a
picture,
so
you
can
feel
free
and
contribute
there
and
also
good
from
the
point
of
view
of
the
validation
policy
that
is
important,
right,,
since
you
taught
this
image
via
Piper
Laine,
I,
don't
know,
people
take
nutrients
or
any
type
of
tool
like
that.
Before,
you
apply
this
image
to
your
Kubernetes,
you'll
have
to
validate
it.
A
that
what
is
entering
the
cluster
is
valid.
Ok,
this
mechanism
is
well
known
or
admits
the
control,
and
it
has
an
opensource
software
also
linked
to
cmf,
and
someone
is
a
teacher
right.
So
any
idea
of
what
I
had
to
see
it
is
an
implementation
of
admission
control
and
that
allows
you
create
policies
and
validations
and
Constructions,
right,,
it's
quite
flexible
and
fast
in
the
language
and
not
so
fast
for
you
to
learn
to
learn
for
you
to
keep
for
you
to
increment
new
rules.
A
It's
quite
easy
and
it's
fully
integrated
with
the
kubernetes
ecosystem,
so
any
kubernetes
administrator
can
install
bitkeeper
and
in
a
few
hours
there
's
already
something
functional,
that's
important
to
start
testing.
You
can
go
to
the
next,
a
The
good
thing
from
the
point
of
view
of
6
CD.
We
wanted
to
demonstrate
here
how
little,
where
that
it
actually
goes.
In,.
B
A
Doesn't
go
through
the
ign
of
6
and
it
gave
integration
continued.
It
continues
remember
where
the
signature
part
would
enter
so
in
this
example
figure
here.
How
does
the
flow
work?
There,
right?
The
developer
invites
the
code,
for
example,
in
the
video
in
the
case
of
the
Ruby
kit,
in
this
figure.
This
is
what
it
will
do.
It
will
provoke.
The
execution
of
a
father
is
online.
A
Skype
online
appears
in
the
image
Possibly
with
its
own
key,
its
own
pair
and
will
request,
in
this
case,
for
example,
through
the
tour
that
someone
right,
the
human
being.
The
proof
is
on
vacation
right.
The
proof
signature
of
this
image
So
that
person
will
receive
this
task,
will
approve
and
interacting
there
with
an
ecosystem
of
scratching
Mc
Gui
Store.
This
one
is
signed
using
standard
or
lose
Connect
and
will
be
linked
to
an
e-,
mail,
right?
If.
You
later
have
the
curiosity
to
look
at
the
standard
that
they
and
the
staff
are
implementing,.
A
It
is
precisely
the
possibility
of
you
signing
not
using
a
pair
of
public
and
private
keys,,
but
using
certificates
generated
linked
to
your
identity.
On
the
web,,
for
example.
Here
at
Google
could
identify
you
once
this
signed
image.
The
pai
pellini
finishes
And.
Then
this
image
is
published
in
the
repository
there
of
the
touch
Rubi
one.
All
your
signatures
in
the
next
Robson
and
from
the
point
of
view
of
delivery
to
continue,
is.
B
A
Is
yesterday
the
validation
of
the
signatures?
So?
Imagine
that
an
administrator
or
another
developer
is
going
to
run
a
parent
by
continuous
delivery.
Integration
makes
reference
to
an
image
that
is
or
is
not
signed.
This
request
the
club
BR
server
right
that
is
already
configured
to
run.
The
bitkeeper
Foguete
Keeper
will
evaluate
the
policies
that
are
configurable
and
what,
if
everything
works
out
right
If
there
are
those
of
what
is
expected.
Sn
this
application
Will
be
approved.
For
example,
signature
had
gone,
not
exist,
I
had
been
forged
by
someone
else.
B
A
We
put
it
into
practice
here
we
tried
to
explain
it
right
from
the
homes
with
us.
We
will
get
here
the
part
of
an
image
that
it
was
generated.
We
passed
to
that
process
there
you
can
go
towel
to
Claro
signed
and
we
will
demonstrate
here
and
I
will
give
some
commands.
That
will
also
be
validated
there
by
the
team
later
on.
So
let
us
kiss
here
so
we
can
forget
anything.
The
first
thing
we
were
dealing
with
arriving
if
it
is
version
001.
A
B
A
This
image
that
we
searched
for
here,
go
through
the
there
she
went.
She
was
approved.
Her
signature
me
in
this
medium
here.
My
e-mail
is
so
he
brought
this
information.
I
could
have
in
addition
to
cinema,
I
could
have
several
others.
I
could
not
add
an
image
to
the
flow
where
I
will
have
several
and
several
a
trainers.
This
is
fast
And.
It
will
validate
this
image.
In
addition,.
A
A
Here
it
is
signed
by
ET
zombie
Action
Zac,
who
was
Rodolfo
Oh.
Well
then,
we
have
information
that
he
was
actually
signed
and,
along
with
this
signature,
We
have
a
little
tea.
Is
that
exactly
ob-xa,
which
is
the
information
from
when
developer
made
the
invitation?
I
can't
also
verify
that
information
to
know
if
it's
exactly
the
same
thing
that
the
developer
invited,
but
there
was
no
change
in
that
over
time.
Then,
if
someone
managed
to
hack
change,
we
have
information.
A
A
A
B
A
A
A
Says
the
following:
it
Checks
if
there
is
any
e-mail
attached
there
at
the
beginning
of
the
presentation
of
the
theme
O
that
we
saw
that
called
and
half
a
glass
just
finish,
clothes
Gmail
attached
will
check
if
there
are
and
mensah
exed
to
a
taster
of
that
signature,
the
next
two
leixions
it
will
validate.
If
the
repository
Until
the
image
is
coming,
it
is
a
repository
that
I
can't
it's
like.
I
commented
there.
If
it's,
not
one,
someone
got
something
there
on
the
internet,
right.
A
A
We
wrote
this
code
written,
it
will
be
typed
here.
It
can
be
validated
account
right,
a
constant
right.
These
functions
that
the
ticket
team
it
will
withstand
the
following
week
and
spacing
is
a
Chan
product.
If
the
my
e-mail
is
Léo
G
Silva,
if
there
is
such
a
way
in
my
mother,
sign
repository
to
this
touch,
while
Silva's
bar
here
in
this
ok,
people
can
even
put
the
following
right.
A
how
to
try
to
Deploy
one
of
one
can
here
unsigned
the
DE
an
unsigned
image
just
showing
here
is
the
code
I'm
trying
to
upload
it's
an
image
being
able
to
get
an
image
right
gives
Pioneer
Leite,
but
it
doesn't
have
any
signature.
It
has
nothing
to
do
with
my
benefit,
nothing
to
do
with
my
production
line
in
my
supply
chain
here.
A
A
Is
not
what
I
want
and
it
is
not
from
several
repositories.
It
is
not
the
repository
of
that
count
and
Barro
ao
pai
is
not
from
a
repository
that
I
accept,.
It's
just
that
we
can,.
We
always
wanted
to
stay
here.
That
I
can
change
these
policies,
right,.
It's
very
quickly.
Here
comes
plastic,.
We
can't
get
my
client
what
I'm
going
to
do
there
I'm
going
to
update
my
policy.
We
see
there
for
my
e-mail
right,
Robson
Firmino,
and
to
show
you
that
it's
easy
here
simple.
A
A
Ok,,
the
environment
is
already
painted
and
now
that
I
'm
going
to
try
to
do
it,
I'm
going
to
get
the
signed
image
that
we
have
signed
with
my
approved
signature,.
So
when
I
approve
the
signature
and
post
the
niacin
for
us
through
that
method,
kilos
So
I'm
going
to
try
to
do
it.
The
deposit
of
this
image,
our
environment,
is
the
first
uncle
can.
Then
it
is
the
example
that
we
have
there.
0
0
41
is
already
from
a
valid
repository
right
and
I
will
try
to
apply
this
signed
image.
B
A
A
B
A
The
pots
are
the
important
points
that
we
wanted
to
bring
to
you,
right,
No
In.
The
time
that
we
had
is
that
this
question
of
must
be
that
Opus
right
It
was
much
talked
about
in
the
past,
but
I
think
it
is
increasingly
relevant.
Given
that
the
number
of
events
of
know,
believer
has
been
happening,
so
increasing
right,
a
lot
of
people
to
Cloud
But,
it
is
still
very
complicated
to
play
the
security
project.
The
project
related
to
any
one
of
these
safe
supply
chain
issues.
A
Understanding
tools
requires
specialized
training,
so
we
ca
n't
leave
it
for
tomorrow
we
have
to
bring
this
issue
to
our
leaders
for
our
companies
today.
Ok,
it's
something
we
learned
by
scratching
a
little,
right?
ex
is
fundamental,.
You
can't
give
your
developer
extremely
complex
tools,
because,
when
he's
going
to
work
with
a
complex
ecosystem,
he'll
eventually
get
into
that,
because
there's
always
going
to
be
a
tight
deadline,,
there's
always
something
that's
going
to
get
in
the
way,.
So
yeah
important
gives
a
good
experience
not
only
for
those
who.
A
Sent
it
very
well
in
that
sense,
it's
there
and
working
with
know.
Security
is
still
not
a
trivial
thing,
I
believe
it
never
is
it
never
becomes
trivial,
but
it
needs
planning
right.
So
it's
not
a
or
I
want
to
put
a
safe
shoe
I'm
just
going
to,
I,
don't
know,
download
that
I'm
going
to
download
the
City
I'm
going
to
go
out,
putting
the
numbers
people
if
it's
ready?
No,
we
have
to
study
and
we
have
to
have
a
consistent
project
for
that.
A
B
A
A
A
A
Already
everyone
followed
us,
we
are
here
and
need
to
know
more
about.
We
follow
part
there.
You
can
look
for
us,
ask
us,
we
are
at
your
disposal
and
respond
Thank,
you
very
much
organizers
for
this
time.
These
Steps
there
our
contacts
just
talk
and
that
we
will
leave
I
apologize
once
again
for
the
computational
failure
and
thank
you
again
for
the
opportunity
is
panato,
complementing
what
you
said.
You
ok
correct.
It's
really
not
a
Google
product.
It's
scratching,
it's
a
product.