Let devs be devs without sacrificing security

Andrew McNamara; Red Hat

Devs need to be protected from threats

SLSA supply chain threats

Source: https://slsa.dev/spec/v1.1/threats-overview

What does it mean to be a developer?

Build off of open source software

Troubleshoot their builds

Explore new problem spaces and solutions

Use tooling that is supportive not disruptive

Devs want to easily build artifacts

Developer workflow icon Build process chain

Devs want to troubleshoot builds

Developer workflow icon Troubleshoot system

Devs want to explore new tech

Developer workflow icon Explore pipelines

Devs don’t need to be this unhappy

SLSA Build L3:

Harden the build platform

Generate provenance

K8s + Tekton

Foundation Platform

Kubernetes provides RBAC, containerization, and namespace isolation. Tekton provides the pipeline execution framework.

Tekton
Trusted Task Library
K8s + Tekton

Secure Task Library

A library of tasks providing common and critical functions which need to be secure and auditable.

Konflux trusted tasks

Konflux architecture overview

Konflux trusted tasks

Trusted Artifacts
Trusted Task Library
K8s + Tekton

Trusted Artifacts

A method of sharing data between tasks which allows detection of data alterations.

Konflux trusted artifacts

Konflux trusted artifacts

Konflux observer attestations

Observer Generated Attestations
Trusted Artifacts
Trusted Task Library
K8s + Tekton

Observer Generated Attestations

Attestations are generated separately from the pipeline (by an 'observer') so they cannot be influenced by the user.

Konflux observer attestations

https://tekton.dev/docs/chains/slsa-provenance/#how-does-tekton-chains-work

Konflux policy engine

Policy Engine
Observer Generated Attestations
Trusted Artifacts
Trusted Task Library
K8s + Tekton

Policy Engine

A policy engine is used to compare the attestations against required policy (we use Conforma).

Conforma screenshot
Policy base images example Conforma screenshot Base images icon

Allowed base images

Policy violations screenshot Base images icon Base images icon variant

Allowed base images

Release Service
Policy Engine
Observer Generated Attestations
Trusted Artifacts
Trusted Task Library
K8s + Tekton

Release Service

Release service gates access to protected destinations based on policy evaluation.

Konflux logo

Devs can easily build artifacts

Devs can troubleshoot builds

__$ oras manifest fetch --pretty quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4 jq .annotations__

{

__ “dev.konflux-ci.task.previous-migration-bundle”: ““,__

__ “org.opencontainers.image.description”: “Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.“,__

__ “org.opencontainers.image.documentation”: “https://github.com/konflux-ci/build-definitions/tree/75741ae0dbd0e3ffa0414acc7fbc950740e889ae/task/buildah-remote-oci-ta/0.4/README.md”,__

__ “org.opencontainers.image.revision”: “75741ae0dbd0e3ffa0414acc7fbc950740e889ae”,__

__ “org.opencontainers.image.source”: “https://github.com/konflux-ci/build-definitions”,__

__ “org.opencontainers.image.url”: “https://github.com/konflux-ci/build-definitions/tree/75741ae0dbd0e3ffa0414acc7fbc950740e889ae/task/buildah-remote-oci-ta/0.4”,__

__ “org.opencontainers.image.version”: “0.4”__

}

Devs can explore new tech

Devs don’t need to be this unhappy

Tekton Tekton Chains Pipelines as Code Conforma
}
Konflux

Thank you!

GitHub@arewm
arewm@redhat.com
Konflux CI QR Code
konflux-ci.dev
Hermeto QR Code
hermetoproject.github.io/hermeto
Conforma QR Code
conforma.dev