Maps each trust control plane layer to the regulatory clauses it satisfies. Intended for audit preparation and evidence packaging.
The lab produces verifiable, reproducible evidence for each control listed below. Evidence artifacts are generated by the supply chain gate (supply-chain-gate.yml) and the enforcement layer (analyze-drift.py, audit-fleet.sh).
| Control | Layer | Evidence artifact |
|---|---|---|
| Image integrity verification | Trust | Kyverno admission log, cosign verify output |
| Software Bill of Materials | Supply Chain | CycloneDX SBOM (cosign attest) |
| Vulnerability disclosure | Supply Chain + Enforcement | grype attestation, audit-fleet.sh report |
| Provenance attestation | Supply Chain | SLSA provenance (supply-chain-gate.yml) |
| Drift detection | Enforcement | analyze-drift.py output |
| Admission enforcement | Trust | Kyverno policy audit log |
| Break-glass access control | Trust | break-glass-exception.yaml + audit trail |
Relevant standard: 45 CFR §164.312 — Technical Safeguards
| Clause | Requirement | Lab control | Evidence |
|---|---|---|---|
| §164.312(a)(1) | Access control — unique user identification | Keyless signing ties image origin to a specific OIDC identity (GitHub Actions workflow or vendor pipeline) | cosign verify output showing subject + issuer |
| §164.312(b) | Audit controls — record activity on systems containing ePHI | Kyverno admission logs record every deploy attempt (admitted and rejected) with image reference, namespace, timestamp | Kyverno audit log via kubectl get events or SIEM integration |
| §164.312(c)(1) | Integrity — protect ePHI from improper alteration | Cosign signature pins the image to a specific digest; drift detection flags any post-admission digest change | analyze-drift.py Drift column |
| §164.312(e)(2)(ii) | Encryption and decryption | SBOM attestation documents what cryptographic libraries are present and their versions | CycloneDX SBOM artifact |
Relevant requirements: Requirement 6 (Secure Systems and Software) and Requirement 11 (Test Security)
| Requirement | Description | Lab control | Evidence |
|---|---|---|---|
| 6.3.3 | All software components protected from known vulnerabilities | grype vulnerability scan attested at build time; audit-fleet.sh runs continuous post-deployment scan | grype attestation artifact, audit-fleet.sh report |
| 6.4.1 | Public-facing web apps protected against known attacks | Admission policy rejects images without verified provenance; unsigned images cannot reach production | Kyverno admission rejection log |
| 6.5.1 | Manage all payment software components | SBOM documents every package in every image; SBOM delta tool (tools/generate-sbom-delta.sh) shows exactly what was added on top of the base |
CycloneDX SBOM + SBOM delta report |
| 11.3.1 | Internal vulnerability scans performed | audit-fleet.sh runs scanner-driven vulnerability inventory across the fleet on schedule | audit-fleet.sh CronJob output |
Relevant Trust Service Criteria: CC6 (Logical and Physical Access) and CC7 (System Operations)
| Criterion | Description | Lab control | Evidence |
|---|---|---|---|
| CC6.1 | Logical access security measures | Kyverno require-signature enforces that only images from approved signing identities can run |
Kyverno ClusterPolicy + admission log |
| CC6.2 | Prior to issuing system credentials, entity registers and authorizes new internal and external users | Signing identity (subject + issuer) is the credential; policy explicitly allow-lists approved identities |
require-signature.yaml identity matcher |
| CC6.8 | Entity implements controls to prevent or detect and act upon the introduction of unauthorized software | require-trusted-registry restricts image sources; require-signature rejects unsigned images |
Policy manifests + admission rejection log |
| CC7.1 | Detect and monitor for new vulnerabilities | audit-fleet.sh continuously surfaces CVE findings by workload and team; findings route to owners via Kubernetes events |
audit-fleet.sh output, CronJob manifest |
| CC7.2 | Monitor system components for anomalous behavior | analyze-drift.py detects digest drift, unsigned workloads, and SBOM-absent images post-admission |
analyze-drift.py output |
Relevant clauses: Subpart B (Electronic Records)
| Clause | Requirement | Lab control | Evidence |
|---|---|---|---|
| §11.10(a) | System validation — accurate and reliable operation | Lab includes five hypothesis-driven experiments (E1–E5) with documented expected vs. actual outcomes | Experiment READMEs, output/ directories |
| §11.10(b) | Ability to generate accurate copies of records | All artifacts (signatures, SBOMs, attestations) are content-addressed OCI objects stored in the registry; reproducible by digest | Registry manifest + cosign download |
| §11.10(c) | Record protection — protect electronic records throughout retention | Cosign signatures stored in Rekor transparency log (append-only, tamper-evident) | Rekor log entry (cosign verify --rekor-url) |
| §11.10(e) | Audit trail — secure, computer-generated, time-stamped audit trail | Kyverno admission logs + Rekor transparency log entries provide time-stamped, immutable record of every deployment | Kyverno event log + Rekor entries |
| §11.10(k) | Device checks — use of appropriate controls over use of devices | require-trusted-registry constrains which registries workloads may pull from |
require-trusted-registry.yaml |
Relevant sections: Section 4 (Countermeasures)
| Section | Countermeasure | Lab control | Evidence |
|---|---|---|---|
| 4.1.1 | Use container-specific OS and images | DHI base (dhi.io/python:3.13) is a distroless, minimal runtime — no shell, no package manager |
Dockerfile in experiments/E4-supply-chain-gates/examples/sample-app/ |
| 4.1.2 | Image provenance and integrity | Cosign keyless signing + SLSA provenance attestation document build origin and environment | supply-chain-gate.yml, cosign verify output |
| 4.1.3 | Avoid including unnecessary components | SBOM delta tool shows exactly what the application adds on top of the base; nothing else | tools/generate-sbom-delta.sh output |
| 4.2.1 | Use read-only filesystems | DHI base runs as nonroot (UID 65532) with no write access to system paths |
Dockerfile USER directive, DHI base defaults |
| 4.3.1 | Use namespaces | Experiments deploy into isolated namespaces (trust-plane-demo); require-trusted-registry is scoped per namespace |
Namespace manifests, policy scope |
| 4.5.1 | Vulnerability management | Continuous vulnerability inventory via audit-fleet.sh; findings attributed to owning teams with patch-age tracking |
audit-fleet.sh output |
When preparing evidence for an audit cycle, run the following and collect the outputs:
# 1. Current policy state
kubectl get clusterpolicy -o yaml > evidence/policies-$(date +%Y%m%d).yaml
# 2. Recent admission events (last 7 days)
kubectl get events --all-namespaces \
--field-selector reason=PolicyViolation \
--sort-by='.lastTimestamp' > evidence/admission-events-$(date +%Y%m%d).txt
# 3. Drift audit snapshot
python3 experiments/E1-drift-observation/analyze-drift.py \
--cluster $(kubectl config current-context) \
--output table > evidence/drift-audit-$(date +%Y%m%d).txt
# 4. Fleet vulnerability inventory
bash tools/audit-fleet.sh > evidence/vuln-inventory-$(date +%Y%m%d).txt
# 5. Signature verification for a specific image
cosign verify \
--certificate-identity-regexp '^https://github\.com/opscart/.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
<image-ref> > evidence/sig-verify-$(date +%Y%m%d).txtCollect into a single evidence package and attach to the audit workpaper. Each output is timestamped and reproducible.
- architecture.md — how the three layers produce these controls
- thesis.md — scope limits (what this pattern does not address)
- runbook.md — break-glass procedures and their audit implications