Explore Datadog's approach to image signing and runtime verification at scale in this conference talk. Delve into the challenges of securing container images across diverse engineering environments and learn about Datadog's unique solutions. Discover their service-oriented approach to image signing, which simplifies adoption across heterogeneous build environments. Understand why they chose to validate image signatures at runtime using a containerd plugin system instead of Kubernetes admission controllers. Gain insights into the design decisions, implementation details, and real-world experiences of operating this system in production. Learn about signature metadata, formats, and registry layouts, as well as the benefits of a signing service for least privilege and auditability. Examine the developer perspective, distribution of verifier configurations, public keys, and image revocation lists. Conclude with valuable takeaways and recommendations for implementing similar systems in your own environment. Read more