Everyone can contribute! Learn DevOps and Cloud Native in our cafe ☕

Technology is moving fast in the DevOps and Cloud Native community.

Join the conversation and add your thoughts, tips, experiences, stories.

"Everyone Can Contribute" is inspired by GitLab's mission.

51. #EveryoneCanContribute Cafe: First look: Chainguard Enforce with Carlos Panato

Carlos Panato started with a short introduction into Software Supply Chain Security and which problem Chainguard aims to solve. The demo follows a great story line on deploying a container image with GitLab CI/CD, verify the image manually, showing Chainguard on the CLI to pull image policies, create custom policies, observe and enforce, sign using cosign inside CI/CD. The following discussion touched topic such as SBOM, key signing, and also cluster runtime security with eBPF. Last but not least, we talked about Kubernetes 1.24 adopting Sigstore and making cloud-native projects more secure.

Join Carlos next week at KubeCon EU with the SIG Release Update with “Releasing Kubernetes Less Often and More Secure”!


We’ve learned about:

  • Chainguard Enforce
    • Software Supply Chain Security
    • Enforce with policies, CLI and Kubernetes cluster agent integration
  • Demo
    • Webserver in Go, container image build. deployed to GCP in GKE
    • Image not yet signed - cosign verify fails
    • chainctl CLI SaaS login - automatically downloads the default Chainguard image policy as ClusterImagePolicy CRD
    • Create a new ClusterImagePolicy for the GitLab runner service
    • Install the Chainguard agent - light-weight, different namespace, request limits: 1 CPU, 1GB maximum to consume less cluster resources.
    • Agent collects metrics and observes the cluster image policies chainctl clusters ls
    • Policy enforce via validation webhooks to block things.
    • Modifying the GitLab CI/CD to sign the image (using the GitLab Dependency Proxy to avoid Docker Hub Rate Limit).
    • Deploy and verify the signed image
    • Move from observing to enforcing the policies, verify the signatures and identities
    • Enforce analyses the Software Bill of Materials (SBOM - CycloneDX, SPDX as format)
  • Roadmap
  • Resources


The next meetup happens on June 14, 2022.

We will meet on the second Tuesday at 9am PT.

Date published: May 10, 2022

Tags: Cicd, Containers, Dev, Devsecops, Kubernetes, Cloudnative, Security, Sigstore, Chainguard