release
release copied to clipboard
kubernetes
SLSA3 Missing pieces
This issue is meant to track the remaining work needed to push towards SLSA3 in our release process. This initial dump is meant to dump the remaining tasks before we prioritize them. Please note that pushing towards SLSA level 3 means effectively complying with level 2, thus all L2 tasks are folded into this list.
These remaining items are based on our SLSA Compliance Assessment tracking sheet.
Remaining SLSA Level 3 Compliance Tasks:
Provenance - Service Generated
- [ ] https://github.com/kubernetes/release/issues/2611
- [ ] Builder: Support for writing initial, partial attestation and "sleeping" (persisting it to disk)
- [ ] Builder: Complete persisted attestations: Read build-generated subjects and assemble pending statement
- [ ] GCB: Attach a volume to write and retrieve provenance metadata
- [ ] GCB: Add step to write initial attestation before staging
- [ ] GCB: Add step to complete provenance attestation after staging
- [ ] GCB: Add step to write initial attestation before release
- [ ] GCB: Add step to complete provenance attestation after release
Build as Code
- [x] Builder: Run from a configuration file. (It was tasked in our initial assessment, ticked as we are running already from GCB configuration files)
Provenance - Non-falsifiable
- [ ] Builder: Implement attestation signing to sign in post-stage and post-release steps
- [x] https://github.com/kubernetes/release/issues/2617
Identify Entry Point
- [ ] Write entry point (k/release commit) is recorded in attestations
Related Efforts:
Ensure Integrity of Our Builder!
- [ ] Sign
k8s-cloud-builderimage - [ ] GCB: Verify
k8s-cloud-builderimage before stage - [ ] GCB: Verify
k8s-cloud-builderimage before release - [ ] https://github.com/kubernetes-sigs/release-sdk/issues/94
File Signing
- [x] https://github.com/kubernetes/release/issues/2618
Sign & Promote SBOMs
- [ ] https://github.com/kubernetes-sigs/promo-tools/issues/600
- [x] https://github.com/kubernetes-sigs/promo-tools/issues/601
*Note: tasks prefixed with Builder: are part of an upcoming provenance builder proposal (not ready yet)
Infra: Plan signer account and access
I think it's https://github.com/kubernetes/k8s.io/pull/3854
@ameukam sorry the one liner may be a bit misleading. I think this point needs a little more clarification so I've opened https://github.com/kubernetes/release/issues/2617 to expand the idea and discuss!
I guess everything except #2618 belongs to the SLSA KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-release/3027-slsa-compliance
Do we have to update it?
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale