BestHub
Sign in
Information Security 18 min read

How to Verify Cross‑Cloud SLSA Attestations for Secure Kubernetes Deployments

This article explains how to strengthen Kubernetes supply‑chain security by using SLSA Source Track, the Notary Project’s Ratify tool, and policy engines like Gatekeeper to automatically generate, attach, and verify attestation proofs for OCI images before they are deployed to production clusters.

Alibaba Cloud Infrastructure
Alibaba Cloud Infrastructure
Alibaba Cloud Infrastructure
How to Verify Cross‑Cloud SLSA Attestations for Secure Kubernetes Deployments

Background

Modern software relies heavily on open‑source components, extending the software supply chain beyond an organization’s internal code. Verifying the authenticity and integrity of third‑party OCI artifacts before they are deployed to production clusters is essential to prevent security incidents.

SLSA and Source Track

SLSA (Supply‑chain Levels for Software Artifacts) defines a set of provenance and integrity guarantees from source code to deployment. The v1.2 release adds a Source Track that specifies incremental requirements for source‑level trust.

Key Open‑Source Tools

Notary Project : Framework for signing and verifying OCI artifacts using JWS/COSE signatures.

Ratify : CNCF sandbox project that integrates Notary, Cosign, SBOM scanners and policy engines (Gatekeeper, Kyverno) to enforce attestation checks at admission time.

SLSA source‑tool : Automates evaluation of a repository against SLSA Source Track levels and produces provenance and Verified Source Attestation (VSA) artifacts.

Demo Scenario: AI Agent Workloads

An AI Agent image is built from a GitHub repository. Each commit triggers the source-actions workflow, which runs the SLSA source‑tool, generates a signed VSA and provenance bundle, and attaches the bundle to the OCI image with oras.

Environment Setup

Install Gatekeeper and Ratify on an Alibaba Cloud ACK cluster and install the oras CLI.

Deploy kagent , the framework for managing AI Agents in Kubernetes, using the BYO (Bring‑Your‑Own) model.

Create a RatifyVerification ConstraintTemplate in Gatekeeper to forward admission requests to Ratify.

Apply a RatifyVerification Constraint that enforces the SLSA Source Policy for any image in the kagent namespace.

kubectl apply -f - <<EOF
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: RatifyVerification
metadata:
  name: ratify-constraint
spec:
  enforcementAction: deny
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Pod
    namespaces:
    - kagent
EOF

Generating and Attaching Attestations

After a successful CI run, download the prov_metadata artifact (an in‑toto signed bundle) and attach it to the demo image:

oras attach ghcr.io/dahuk/slsa-attestation-action-demo:sha-fcf594d signed_bundle.intoto.jsonl --artifact-type slsla/attestation
oras discover ghcr.io/dahuk/slsa-attestation-action-demo:sha-fcf594d

Deploying the Ratify Verifier Plugin

Create a Ratify verifier configuration that requires at least SLSA Source Level 2:

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
  name: verifier-slsa
spec:
  artifactTypes: slsla/attestation
  name: slsla
  parameters:
    expectedVerifiedLevels:
    - SLSA_SOURCE_LEVEL_2
    expectedVerifierId: https://github.com/slsa-framework/source-actions
    expectedResourceUri: git+https://github.com/DahuK/slsa-attestation-action-demo
  version: 1.0.0

Testing Enforcement

Deploy a BYO agent using a Level 1 image; Ratify blocks the admission and logs the failure. Then upgrade the image to a Level 3 build, update the verifier to require Level 3, and observe a successful deployment.

kubectl apply -f - <<EOF
apiVersion: kagent.dev/v1alpha2
kind: Agent
metadata:
  name: basic-agent
  namespace: kagent
spec:
  description: This agent can do anything.
  type: BYO
  byo:
    deployment:
      image: ghcr.io/dahuk/slsa-attestation-action-demo:sha-f5cd6f5
      env:
      - name: DASHSCOPE_API_KEY
        valueFrom:
          secretKeyRef:
            name: kagent-my-provider
            key: PROVIDER_API_KEY
EOF

Results

The pipeline demonstrates end‑to‑end supply‑chain security: source commits are evaluated against SLSA Source Track, attestations are signed and attached to OCI images, and Kubernetes admission controllers enforce the required security level before any workload runs.

Useful Resources

SLSA v1.2 RC1 – Overview: https://slsa.dev/spec/v1.2-rc1/about

Ratify Verifier Plugin Documentation: https://ratify.dev/docs/next/plugins/verifier/

SLSA source‑tool Design: https://github.com/slsa-framework/source-tool/blob/main/docs/DESIGN.md

SLSA Attestation Action Demo Repository: https://github.com/DahuK/slsa-attestation-action-demo

CI/CDKubernetesGatekeeperSupply Chain SecuritySLSAPolicy EnforcementAttestationRatify
Alibaba Cloud Infrastructure
Written by

Alibaba Cloud Infrastructure

For uninterrupted computing services

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment