How do you make sure only trusted container images can run in your cluster, and what does signing an image actually prove?

technical-conceptual · Mid level · cloud-devops-security

What the interviewer is really asking

Test understanding of container supply-chain security beyond vulnerability scanning — image provenance, signing, and admission-time enforcement, and the limits of what a signature guarantees.

What to say

What to avoid

Example answers

Strong: In our GitHub Actions pipeline the build step uses cosign keyless signing: the job's OIDC token gets a short-lived Fulcio cert, we sign the image by digest and attach an SBOM and SLSA provenance attestation, all recorded in Rekor. In the cluster, a Kyverno policy verifies the signature against our expected OIDC subject (the repo's workflow identity) and blocks any image that isn't signed by it — so even if someone pushed a malicious image to the registry, it can't be admitted because it wasn't signed by our pipeline identity.

Weak: We trust our images because we scan them with Trivy and there are no critical vulnerabilities.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.