// Technology / Signed Resources
Change needs provenance.
QHx signed resources let trusted authorities distribute Kubernetes resources, policy updates, and deployments through cryptographically signed bundles.
// Mechanism
Remote change should not become remote control.
A signed resource encapsulates one or more Kubernetes resources with a signature and version. QHx Manager verifies the bundle before applying it.
- Signed bundlePolicies, deployments, and services are signed by an approved authority.
- Version protectionResource versions prevent rollback to older signed states.
- Sealed resourcesCritical resources can be protected from ordinary modification and updated only through signed paths.
- Air-gapped useBundles can be transported into isolated environments without losing provenance.
Authority travels with the update.