The Linux Foundation announced that Kubernetes has completed a rewrite of its kpromo system, modernizing the image promotion supply chain. The update removes the legacy pipeline and enables provenance features by default for all images.
Kubernetes, the popular open-source container orchestration platform, has modernized its image promotion supply chain through a complete rewrite of kpromo, the system responsible for moving images into the registry at github.com/kubernetes/registry.k8s.io. The Linux Foundation shared this update, noting that the legacy pipeline has been fully removed. Newer provenance features are now enabled by default, including SLSA attestation, cosign validation, and keyless signing for all Kubernetes images. The Linux Foundation described this as a critical step for building trust in the supply chain. kpromo plays a key role in ensuring that container images used in Kubernetes deployments meet security standards before entering the official registry. This change aims to enhance security practices across the ecosystem by making advanced verification methods standard. The announcement highlights ongoing efforts to strengthen software supply chain integrity amid rising concerns over vulnerabilities in container images.
