Alauda DevOps Pipelines Docs

Introduction

TOC

Tekton Chains Introduction

Tekton Chains is a Kubernetes Custom Resource Definition (CRD) controller that enables supply chain security features for Tekton pipelines. It works by observing TaskRun and PipelineRun executions, capturing relevant information, and storing it in a cryptographically-signed format. This provides a secure and verifiable record of all pipeline activities, ensuring the integrity of your software supply chain.

Built on the foundation of Tekton Pipelines, Tekton Chains extends the CI/CD capabilities with security features that allow organizations to implement Software Supply Chain Security practices according to industry standards like SLSA (Supply-chain Levels for Software Artifacts).

Tekton Chains Advantages

The core advantages of Tekton Chains are as follows:

  • Secure Software Supply Chain

    Tekton Chains provides cryptographic verification of all artifacts produced in your CI/CD pipeline, ensuring that your software hasn't been tampered with from build to deployment.

  • SLSA Compliance

    Supports multiple SLSA provenance formats, helping organizations meet industry standards for supply chain security and achieve higher levels of SLSA compliance.

  • Seamless Integration

    Works natively with Tekton Pipelines, requiring minimal configuration changes to existing CI/CD workflows while adding robust security features.

  • Flexible Storage Options

    Supports multiple storage backends including Tekton, OCI registries, GCS, and more, allowing you to store signatures and attestations where they make the most sense for your organization.

  • Multiple Signing Methods

    Supports various signing mechanisms including x509, Cosign, and KMS systems (GCP KMS, Hashicorp Vault, AWS KMS, Azure KMS), providing flexibility in how you secure your supply chain.

Scenarios

The main application scenarios of Tekton Chains are as follows:

  • Secure CI/CD Pipelines

    Organizations can use Tekton Chains to add cryptographic verification to their existing CI/CD pipelines, ensuring that all artifacts produced are signed and verifiable.

  • Compliance Requirements

    For organizations that need to meet regulatory or industry compliance requirements around software supply chain security, Tekton Chains provides the necessary attestations and verifications.

  • Container Image Signing

    Automatically sign container images built within Tekton pipelines, ensuring that only verified images can be deployed to production environments.

  • Provenance Generation

    Generate and sign SLSA provenance for all artifacts built in your pipeline, providing a verifiable record of how each artifact was created.

  • Transparency Logging

    Store signed attestations in transparency logs like Rekor, enabling third-party verification of your software supply chain.

Limitations

  • Tekton Chains requires proper key management for signing artifacts. The security of your supply chain depends on the security of your signing keys.

  • Some features may require additional configuration of external services like OCI registries or KMS systems.

  • Tekton Chains observes TaskRuns and PipelineRuns after they complete, so there may be a slight delay between when a pipeline finishes and when the attestations are available.

ON THIS PAGE