Advanced Track Do this after finishing Chapters 01-14.

Estimated Time

  • Reading: 30-40 min
  • Lab: 60-90 min
  • Quiz: 15-20 min

Prerequisites

  • Core track (Chapters 01-14) completed.
  • GitOps promotion and observability workflows available.

Source Code References

  • verify-attestations.example.yaml Members
  • verify-images.example.yaml Members

Sign in to view source code.

What You Will Produce

A go/no-go evidence package: rollout results, remediation notes, and explicit rollback conditions.

Incident Hook

An urgent fix is rebuilt from a developer’s workstation and pushed with a familiar image tag. The deployment appears normal, but during triage, the team cannot prove which workflow produced the binary. Signer identity, SBOM lineage, and dependency baselines are all missing.

Result: Rollback confidence drops because the trust lineage of the running artifact is uncertain. Recovery delay shifts from a technical problem to a trust problem.

Observed Symptoms

What the team sees first:

  • The workload is running, but artifact provenance is unclear.
  • Tags look familiar, but signature and SBOM evidence do not line up.
  • Responders must investigate the identity of the code before they can trust the rollback path.

When an image “looks right,” teams are tempted to skip provenance. That is exactly when high-impact mistakes occur.

Supply Chain Baseline

To prevent untrusted code from reaching production, we enforce a strict verifiable artifact model:

  1. Immutable Identity: All artifacts are referenced by digest or immutable version tags.
  2. SBOM Generation: A Software Bill of Materials (SBOM) is generated for every release artifact.
  3. Signing & Attestation: Every image is cryptographically signed and attested by an authorized CI workflow.
  4. Admission Verification: The cluster verifies the signature and attestation before allowing the container to run.

What AI Would Propose (Brave Junior):

  • “Rebuild locally and push now to save time.”
  • “Skip signing for this release only.”
  • “Use mutable tags for faster retagging.”

Pause and Predict: Before reading the investigation, write down your top 3 hypotheses. What would you check first?