Advanced Track Do this after finishing Chapters 01-14.

Estimated Time

  • Reading: 30-40 min
  • Lab: 60-90 min
  • Quiz: 15-20 min

Prerequisites

  • Core track (Chapters 01-14) completed.
  • GitOps promotion and observability workflows available.

Source Code References

  • verify-attestations.example.yaml Members
  • verify-images.example.yaml Members

Sign in to view source code.

What You Will Produce

A go/no-go evidence package: rollout results, remediation notes, and explicit rollback conditions.

Core Exercises (Required)

  1. Sign an Image: Use cosign to sign a test image from your registry. Verify the signature locally.
  2. Audit Drill: Apply an image verification policy in Audit mode. Push an unsigned image and find the violation in the cluster events or Kyverno reports.
  3. Enforce Drill: Switch the policy to Enforce mode. Attempt to deploy the unsigned image and document the admission rejection message.
  4. SBOM Check: Generate an SBOM for your backend application and verify that it matches the digest of the running image.

Challenge Exercise (Optional)

Full SBOM Attestation Chain: Generate an SBOM for the backend container image, sign it with cosign, and verify the attestation at admission time. Document the full trust chain from build to cluster entry.

Done When

You have completed this chapter when:

  • You can explain why “build once, promote many” is required for provenance.
  • You have successfully signed and attested a container image.
  • You have demonstrated policy behavior in both Audit and Enforce modes.
  • You can handle an untrusted artifact denial without disabling your security guardrails.
  • You can prove artifact identity using digest-level evidence.

Knowledge Check

Before finishing this chapter, complete the Quiz to verify your understanding of the guardrail principles.