Runbook: Supply Chain Verification (Advanced)
Purpose
Operate artifact trust controls during deploy and incident response without bypassing safety.
Scope
This runbook covers:
- signature and attestation verification checks
- Kyverno verify policy behavior (
Audit/Enforce) - incident triage for untrusted artifact events
Pre-Deploy Checklist
- Artifact is immutable (digest or immutable env tag).
- SBOM/provenance evidence exists.
- Signature verification succeeds.
- Policy mode for target namespace is known (
AuditorEnforce).
Verification Commands
cosign verify "$IMAGE_REF"
cosign verify-attestation --type spdx "$IMAGE_REF"
kubectl get cpol | rg "verify|attestation"
kubectl get policyreport -A
Namespace-level incident evidence:
kubectl -n <ns> get events --sort-by=.lastTimestamp | tail -n 30
kubectl -n <ns> describe pod <pod-name>
Incident Workflow
- Freeze promotion of questionable artifact.
- Validate signature and attestation against policy constraints.
- If validation fails, rollback to last known trusted digest.
- Record policy/event evidence in incident timeline.
- Fix CI signing/provenance path before next promotion.
Audit to Enforce Strategy
- Start in
Auditfordevelop. - Review violations for at least one full release cycle.
- Tighten identity constraints (issuer/subject) as needed.
- Move selected rules to
Enforceindevelop. - Promote policy mode gradually to higher environments.
Failure Modes
- Missing signature:
- expected: audit/deny depending on mode
- action: fix signing in CI, do not bypass in production
- Untrusted signer identity:
- expected: audit/deny
- action: align OIDC workflow identity and policy constraints
- Missing/invalid attestation:
- expected: audit/deny when attestation rule is active
- action: restore SBOM/provenance generation in pipeline
Break-Glass Rule
Break-glass exception must be:
- time-bound
- scoped to specific workload/environment
- linked to incident or approval record
- removed immediately after remediation