Supply Chain Security

Artifact signatures and attestations for Tekton

Tekton Chains

Supply Chain Security in Tekton Pipelines

Tekton Chains logo

Getting Started

Tekton Chains is a Kubernetes Custom Resource Definition (CRD) controller that allows you to manage your supply chain security in Tekton.

In its default mode of operation, Chains works by observing all TaskRuns executions in your cluster. When TaskRuns complete, Chains takes a snapshot of them. Chains then converts this snapshot to one or more standard payload formats, signs them and stores them somewhere.

Current features include:

  • Signing TaskRun results with user provided cryptographic keys, including TaskRuns themselves and OCI Images
  • Attestation formats like intoto
  • Signing with a variety of cryptograhic key types and services (x509, KMS)
  • Support for multiple storage backends for signatures


Prerequisite: you’ll need Tekton Pipelines installed on your cluster before you install Chains.

To install the latest version of Chains to your Kubernetes cluster, run:

kubectl apply --filename

To install a specific version of Chains, run:

kubectl apply -f${VERSION}/release.yaml

To verify that installation was successful, wait until all Pods have Status Running:

kubectl get po -n tekton-chains --watch
NAME                                       READY   STATUS      RESTARTS   AGE
tekton-chains-controller-c4f7c57c4-nrjb2   1/1     Running     0          160m

Installation on OpenShift

Prerequisite: you’ll need Tekton Pipelines installed on your OpenShift cluster before you install Chains.

To install Tekton Chains on OpenShift, you must first apply the anyuid security context constraint to the tekton-chains-controller service account. This is required to run the controller pod. See Security Context Constraints for more information.

  1. Log on as a user with cluster-admin privileges. The following example uses the default system:admin user:

    oc login -u system:admin
  2. Set up the namespace (project) and configure the service account:

    oc new-project tekton-chains
    oc adm policy add-scc-to-user nonroot -z tekton-chains-controller
  3. Install Tekton Chains:

    oc apply --filename

    See the OpenShift CLI documentation for more information on the oc command.

  4. Monitor the installation using the following command until all components show a Running status:

    oc get pods --namespace tekton-chains --watch


To finish setting up Chains, please complete the following steps:


To get started with Chains, try out our getting started tutorial.

To start signing OCI images and generating signed provenance for them, try our signed provenance tutorial.

Community tutorials

The Chains community has been hard at work creating tutorials as well:

Experimental Features

To learn more about experimental features, check out

Want to contribute

We are so excited to have you!

  • See for an overview of our processes
  • See for how to get started
  • See for the current roadmap Check out our good first issues and our help wanted issues to get started!

To learn more about Chains:

  • Chat with us in the #chains Slack channel
  • Attend the Chains Working Group meeting, details here