A Step Closer to in-Toto'lly Secure: Using in-toto and OPA Gatekeeper
Bridging Supply Chain Security and Runtime Policy Enforcement
At Open Source Summit North America 2024, John Kjell teamed up with Tom Meadows from ControlPlane to demonstrate a powerful combination: using in-toto attestations for supply chain verification alongside OPA Gatekeeper for runtime policy enforcement in Kubernetes clusters.
This technical presentation shows how organizations can create an end-to-end security pipeline that verifies software integrity from build time through runtime deployment. The integration of these two CNCF projects represents a significant step toward “in-toto'lly secure” software delivery - where every component is verified and every deployment is policy-compliant.
Why This Integration Matters
Traditional security approaches often create silos between build-time verification and runtime policy enforcement. This talk breaks down those barriers by showing how in-toto attestations can carry security metadata from the build process directly into Kubernetes admission control decisions.
The practical demonstration covers real-world challenges like managing cryptographic keys, storing and retrieving attestations, and optimizing policy evaluation performance in high-throughput deployment environments.
Key Takeaways
in-toto provides a framework for end-to-end verification of software supply chain integrity
OPA Gatekeeper enables policy enforcement at the Kubernetes admission control layer
Combining in-toto attestations with Gatekeeper policies creates a powerful security barrier
Attestations must be cryptographically verifiable and tied to specific software artifacts
Policy-as-code approaches make security requirements auditable and version-controlled
Integration challenges include key management, attestation storage, and performance optimization
Watch the Full Presentation
30 minutes of insights on in toto
About the Speaker
About John Kjell
John Kjell is a Principal Consultant at ControlPlane, where he champions the adoption of supply chain security standards across the industry. His deep expertise in in-toto, combined with practical experience deploying these systems at scale, makes him uniquely qualified to speak on supply chain security integration challenges.
John has been a key contributor to several OpenSSF projects and has spoken at major conferences worldwide about the practical challenges of implementing supply chain security. His focus on bridging the gap between security theory and operational reality has helped numerous organizations adopt attestation-based security practices.
About Tom Meadows
Tom Meadows is an engineer at ControlPlane, where he specializes in Kubernetes security and policy enforcement. His expertise with OPA Gatekeeper and admission controllers provides the operational perspective needed to make supply chain security practical in real-world environments.
Related Resources
in-toto Project Homepage
Official documentation and specifications for the in-toto supply chain security framework
OPA Gatekeeper Documentation
Complete guide to implementing policy-as-code with Gatekeeper in Kubernetes
SLSA Supply Chain Security Framework
Industry standards for supply chain security levels and attestation formats