At KubeCon+CloudNativeCon North America, Stacey Potter (OpenSSF) and Adolfo García Veytia delivered one of the most memorable and entertaining keynotes of the week: “Supply Chain Reaction: A Cautionary Tale in Kubernetes Security.”
Through a live-acted security incident, humorous storytelling, and real-world tooling demos, they showed how even well-secured Kubernetes clusters can fall victim to invisible supply-chain compromise, and demonstrated why frameworks like the Open Source Project Security (OSPS) Baseline are becoming essential for every project, not just for critical infrastructure.
A Security Incident That Looked Impossible
The keynote begins with a fictional but highly realistic Kubernetes incident. A seemingly well-secured application suddenly consumes all CPU resources and begins mining cryptocurrency. Every traditional security box was checked:
- Strict network policies
- Secrets management
- mTLS for internal communication
- Unprivileged pods and restrictive RBAC
- No known vulnerabilities in the image
Yet the attacker succeeded because the compiler image used in the build pipeline had been compromised. The “crypto-mining payload” was injected before the application ever touched the cluster. Because the compromised component contained no known vulnerabilities, scanners reported “zero CVEs.” The security failure was not in the code but in the supply chain.
Securing the Lifecycle, Not Just the Code
The speakers illustrated how modern supply-chain security requires integrity controls that begin well before images reach the cluster. They demonstrated how:
- SLSA (Supply-chain Levels for Software Artifacts) can verify the provenance of builder images and source.
- Sigstore can enforce signing and verification, ensuring only trusted images are deployed.
- Policy engines, such as CNCF’s Kyverno and open source project Ampel, can block compromised or unverified artifacts long before they reach production.
But the talk’s most important takeaway was that no individual tool is enough on its own. What projects need is a clear, structured, progressively adoptable framework that helps them position these tools effectively. That is the role of the OSPS Baseline.
The OSPS Baseline: A Practical Map for Every Open Source Project
The OSPS Baseline is a new OpenSSF framework that distills years of security expertise into concrete, accessible, and highly actionable controls. The keynote emphasized that frameworks like this are no longer optional; they are fundamental to resisting precisely the type of attack demonstrated on stage.
The Baseline covers eight control families that span the full lifecycle of open source software:
- Access Control
- Build and Release
- Documentation
- Governance
- Legal
- Quality
- Security Assessment
- Vulnerability Management
These categories address the reality that attacks increasingly target build systems, maintainers, and project workflows, not just code.
Three Levels of Maturity
The Baseline’s approach is intentionally incremental:
- Level 1 establishes essential practices such as MFA, protected branches, and basic governance.
- Level 2 introduces release signing, more structured vulnerability processes, and automated testing.
- Level 3 is intended for widely adopted or critical open source projects that must operate at a high assurance level.
The maturity model allows projects to start at a level that reflects their usage, not their security expertise. The keynote demonstrated how applying even a small subset of Baseline controls significantly strengthens a project’s posture, especially in supply-chain integrity.
Why the Baseline Matters in the Era of Invisible Supply-Chain Attacks
The compromised compiler scenario in the keynote is precisely the kind of attack that the OSPS Baseline is designed to mitigate. By ensuring that:
- Build and version control systems are hardened,
- Source changes follow documented processes,
- Release artifacts are signed and traceable,
- Dependencies are managed responsibly, and
- Maintainers operate with secure, sustainable governance.
Projects gain protection against threats that would not appear in a vulnerability scanner report. This shifts security from reactive to preventative and distributes responsibility across the entire lifecycle of a project.
OpenSSF Projects Working Together
The talk reinforced that the Baseline does not stand alone. It integrates naturally with the broader ecosystem of OpenSSF projects, including:
- SLSA for source code & build provenance
- Sigstore for signing and verification
- OpenSSF Scorecard for automated posture evaluation
- ORBIT for project governance and security guidance
- OpenSSF’s policy and best practices working groups
The Baseline serves as the organizing framework that helps projects understand when, where, and how to use these tools effectively, reducing complexity for maintainers who may not be security specialists.
A Community Effort, Not a Solo Task
The speakers closed by reminding the audience that supply-chain security is a shared responsibility. Open source maintainers, contributors, and organizations all have a role. The OSPS Baseline is designed to meet projects where they are and help them grow without overwhelming them. Participation can begin with simple steps: joining a working group, adopting MFA, signing releases, improving documentation, or engaging with community discussions.
Learn More and Get Started
Strengthening the open source software supply chain is a shared responsibility, and every contribution, large or small, moves the entire ecosystem forward. We can’t wait to see you joining this effort!
OSPS Baseline: https://openssf.org/projects/osps-baseline/
OpenSSF Projects: https://openssf.org/projects
Get involved to OpenSSF Community: https://openssf.org/getinvolved/