Supply Chain Compliance: SLSA and SBOM

A container image you deploy to production pulls in hundreds of packages you never wrote. Base images, transitive dependencies, build tools, runtime libraries. If any of those components are compromised, how do you know? The SolarWinds attack injected malicious code during the build process. Codecov's bash uploader was modified in the distribution pipeline. Log4Shell proved that a single transitive dependency buried six layers deep can expose every system that includes it.

"Trust the upstream" is not a security strategy. Supply chain compliance replaces trust with verification: SLSA levels for build integrity, SBOMs for component transparency, and Sigstore for cryptographic proof. The KCSA exam tests these under the Compliance and Security Frameworks domain (10%), and Kubernetes itself uses all three for its own releases.