Advanced Track Do this after finishing Chapters 01-14.

Estimated Time

  • Reading: 30-40 min
  • Lab: 60-90 min
  • Quiz: 15-20 min

Prerequisites

  • Core track (Chapters 01-14) completed.
  • GitOps promotion and observability workflows available.

Source Code References

  • verify-attestations.example.yaml Members
  • verify-images.example.yaml Members

Sign in to view source code.

What You Will Produce

A go/no-go evidence package: rollout results, remediation notes, and explicit rollback conditions.

Investigation

Start by proving artifact identity and signer evidence, not by reading logs.

Safe investigation sequence:

  1. Verify Digest & Signature: Check the digest and cryptographic signature for the running image.
  2. Confirm SBOM Match: Ensure the SBOM belongs to the exact same immutable artifact.
  3. Compare Identities: Compare the runtime identity with the tested promotion target from Chapter 04.
  4. Review Policy Reports: Check Kyverno or cluster events to see if the artifact was audited or denied.

Containment

Containment is about restoring trust before accelerating the deployment.

Containment steps:

  1. Restore Known-Good: Roll back to the last known-good, cryptographically verified artifact.
  2. Re-run Approved Path: Force the signing and attestation through the official CI/CD pipeline.
  3. Audit Policy: Keep verification policies in Audit mode until stable results are confirmed.
  4. No Bypasses: Never “temporarily” disable provenance checks to complete a high-pressure release.

Pause and Predict: What automated guardrail would have prevented this incident entirely?