Kubernetes Deep Dive
by Sergey Okinchuk
Admission & PolicyCh. 7
Supply-Chain Security
Topic 37

Supply-Chain Security

TrustImages

Supply-chain security is about trusting what you actually run. A cluster can have perfect RBAC and still be compromised by a malicious or vulnerable container image. The controls here — signing, provenance, SBOMs, scanning, and admission-time verification — close the gap between the registry and the running Pod.

It is the part of security that lives outside the cluster as much as in it, and it has become a first-class concern as attacks increasingly target the build and distribution pipeline rather than the runtime.

The Threat Model

The risk is that the image you run is not what you think it is: a base image with a known vulnerability, a dependency that was tampered with, a tag that was repointed to malicious content, or an image pulled from an untrusted source. Because Kubernetes will faithfully run whatever image you reference, trust has to be established before admission — at build time and at pull time, not after the Pod is already running.

Signing and Verification

Image signing cryptographically binds an image to a signer. The common toolchain is Sigstore/cosign, which signs images (and other artifacts) and supports keyless signing tied to an identity. Verification is enforced at admission: a policy engine or a dedicated verifier checks the signature before allowing the Pod, so an unsigned or untrusted image is rejected. Signing proves origin and integrity; verification is what makes it matter.

Provenance, SBOMs, and Scanning

Beyond "who signed it," you want "how was it built" and "what is in it." Provenance (as formalized by SLSA) attests to the build process. An SBOM (software bill of materials) lists the components and versions inside an image, which is what lets you answer "are we affected by this new CVE?" in minutes instead of days. Scanning checks images against vulnerability databases — in CI before push, and continuously in the registry as new CVEs are disclosed against images you already shipped.

Pinning and Registry Hygiene

Two practical habits prevent most trouble. Pin images by digest, not a mutable tag — a tag like :latest can be repointed, and even a version tag can be overwritten, but a digest is the immutable content. And run from trusted registries with credentials scoped per workload, mirroring or vendoring critical public images rather than pulling them live from the internet. Combine these with admission-time signature verification and you have a chain of trust from build to run.

Pin by digest, not a mutable tag
containers:
  - name: app
    # avoid: image: my-app:latest
    image: registry.example.com/my-app@sha256:9b2c...e1
Tag vs digest reference

Tag (e.g. :latest, :1.2) — human-friendly but mutable — can be repointed or overwritten, so it does not guarantee identical content.

Digest (@sha256:…) — immutable content address — the same digest is always the same bytes. The basis of trust.

Common Mistakes
  • Running :latest or unpinned tags, so the content can change underneath you.
  • No admission-time signature verification, so any image that can be pulled will run.
  • Trusting public images blindly without scanning or mirroring them.
  • Baking secrets or credentials into images, where anyone with the image has them.
  • Treating a one-time CI scan as enough, instead of rescanning shipped images as new CVEs appear.
Best Practices
  • Pin images by digest so a Pod always runs the exact bytes you verified.
  • Sign images (cosign/Sigstore) and verify signatures at admission, rejecting untrusted images.
  • Generate SBOMs and scan in CI and continuously in the registry to answer CVE exposure fast.
  • Pull from trusted registries with per-workload credentials; mirror critical public images.
  • Keep secrets out of images entirely — inject them at runtime via Secrets or federation.
RelatedAdmission control — where signature/image policy is enforced (Topic 36)Containers and runtimes — OCI images are what gets signed (Topic 02)Cloud image scanning / registries — ECR, Artifact Registry, ACR scanning

Knowledge Check

Why pin a container image by digest instead of a tag?

  • A digest is an immutable content address; a tag can be repointed or overwritten, so it doesn't guarantee the same bytes
  • Digests pull noticeably faster because the registry skips the tag-resolution lookup and serves the cached layers directly
  • Tags cannot be used in a Kubernetes Pod spec and are rejected by the API server
  • Digests automatically encrypt the image layers as they are pulled to the node

Where is image signature verification enforced?

  • At admission — a policy/verifier checks the signature before the Pod is allowed to run
  • At build time only, in the CI pipeline that produces and signs the image before any push
  • By the kubelet after the Pod has already started running on the node
  • By the CNI plugin while it wires up the Pod's network namespace

What does an SBOM (software bill of materials) let you do quickly?

  • Determine whether your images contain a component affected by a newly disclosed CVE
  • Sign the image keylessly without ever generating a private key
  • Encrypt the image layers at rest so the registry cannot read them
  • Replace the need for admission control by gating which images may be deployed itself

You got correct