Supply Chain Security Overview

You trust the container image running in your cluster. But do you know where it was built? Can you prove that nobody tampered with it between the CI pipeline and your node's container runtime? Can you list every dependency packaged inside it?

These are supply chain security questions, and they sit at the heart of the KCSA Platform Security domain (16% of the exam). High-profile attacks like SolarWinds (compromised build pipeline shipped a backdoor to 18,000 customers), Codecov (tampered bash uploader exfiltrated CI secrets for two months), and the ua-parser-js npm compromise have shown that attackers increasingly target the delivery pipeline rather than the running application. For Kubernetes teams, this means securing every step from source commit to running pod. The KCSA tests conceptual understanding of these defenses, not hands-on tool configuration.