KubeCon + CloudNativeCon Europe 2023

Over the past two years, Kubernetes SIG Release shifted focus from automating the k8s release process to building stronger security features. And now, all the work done by the Release Engineering team has been packaged into really cool tools that anybody can use to harden their project's supply chain security stance. Our toolkit lets users pick and choose from the same components that our Release Managers use to secure the Kubernetes releases with features like: * Software Bill of Materials * Signed SLSA provenance attestations * Signed container images and artifacts * Secure GitHub release pages The tools can work with any project, no need to be part of the Kubernetes family! In this talk, puerco will showcase how these tools are in use today, helping secure the releases of other projects across the Cloud Native landscape, including Knative, Istio, Cilium, CRI-O, Vitess, and others. He will show simple examples to achieve better supply chain security in your project by signing artifacts, creating SBOMs, and provenance data just as big OSS projects do it. All using helpful reusable GitHub actions. The talk will close with a shameless call for contributors passionate about CI/CD and software supply chain security to come and join the Kubernetes Release Engineering team!