2026-06-19 –, D0206 (capacity 154)
Container images get signed and verified. AI models almost never do. A poisoned checkpoint can run arbitrary code at deserialization, yet Kubernetes clusters treat model weights as trusted blobs. The tooling to change this reached v1.0 in 2025.
This talk walks through a practical enforcement pipeline for model trust on Kubernetes using three open source tools: Sigstore model signing (OMS v1.0) to sign model artifacts, the Sigstore Model Validation Operator for admission time verification, and Kyverno policies to block workloads referencing unsigned models. We trace the lifecycle: signing in CI, recording in Rekor, and blocking a tampered checkpoint at deploy time.
We also cover what still breaks: verification with quantized and adapter merged models, hashing instability across formats, and where AIBOM metadata fits into the attestation chain. A live demo signs, deploys, and blocks an unsigned model on a running cluster.
Ayushi is an Associate Software Engineer at Red Hat, specializing in AI, python, and open source. With over 2 years of experience, she has worked on rule writing, log analysis, and proactive issue resolution. She is a mentor and public speaker, frequently sharing insights on open source, AI advancements, and career growth in tech. Passionate about scalable automation and AI-driven support systems, she strives to bridge the gap between engineering efficiency and real-world problem-solving.
Rahul Sharma is a Senior Software Engineer at Red Hat with over six years of experience building Python systems for cloud-native infrastructure. He specializes in rule-driven diagnostics across Linux and Kubernetes. His work focuses on deterministic, testable architectures on real-world data and integrating LLM components into infrastructure software with strong evaluation and guardrails. His talks draw from production lessons and practical patterns for building systems that scale reliably.