Skip to main content

Supply Chain Security

Every container image running in a Petra cluster is traceable to its source, verified at multiple stages, and continuously monitored.

Image Sourcing

All container images originate exclusively from Chainguard (cgr.dev/shebash.io). Chainguard images are:

  • Built from scratch using apko and melange (not layered on base images)
  • Minimal: no shell, no package manager, no unnecessary utilities
  • Rebuilt daily with automated scanning for rapid CVE remediation
  • Signed with cosign (Sigstore keyless, OIDC-based identity)
  • Published with SBOM in SPDX format
  • Available in FIPS variants built with Go 1.24 native FIPS crypto (CAVP A6650)
  • Attested with SLSA Build Level 3 provenance

Verification Pipeline

Chainguard build pipeline (SLSA L3)
  -> cosign signature (build-time identity)
    -> petra bundle create (digest pin, scan, signature verify)
      -> Bundle signing (cosign sign-blob)
        -> CDS transfer (audit log)
          -> Bundle signature verification (disconnected side)
            -> Image loading (pre-pulled or registry pull)
              -> Admission control (Sigstore policy-controller)
                -> Runtime monitoring (Tetragon eBPF)

At every stage, a cryptographic commitment binds the artifact to its verified state at the previous stage.

Build-Time Controls

During petra bundle create:

  1. Each image is pulled with digest pinning
  2. Cosign signature is verified against Chainguard's CA
  3. Vulnerability scanning for known CVEs (configurable thresholds)
  4. SBOM and provenance are recorded in bundle metadata

Bundle Integrity

  • Per-file SHA-256 digests in metadata manifest
  • Bundle signed with cosign sign-blob
  • Images referenced by digest (not tag)

Admission Control

The Sigstore Policy Controller re-verifies cosign signatures at Kubernetes admission time. Gatekeeper restricts image sources to the internal registry. An image not part of the signed bundle cannot enter the cluster.

Continuous Compliance

kube-bench runs CIS Kubernetes Benchmark 1.8 checks every 6 hours on control-plane nodes, validating API server flags, etcd encryption, kubelet configuration, and RBAC settings. Results are stored as Job logs and can be aggregated by any monitoring pipeline.