kyverno icon indicating copy to clipboard operation
kyverno copied to clipboard
verified publisher icon kyverno

SLSA Level 3 compliance for Kyverno

Open JimBugwadia opened this issue 4 years ago • 6 comments

Is your feature request related to a problem? Please describe.

SLSA Level 3 compliance for the Kyverno build process

Describe the solution you'd like

Plan and execute steps to make Kyverno CI/CD SLSA Level 3 compliant

Additional context

JimBugwadia avatar Jan 28 '22 23:01 JimBugwadia

/assign

wryonik avatar Apr 07 '22 18:04 wryonik

Hey @JimBugwadia, as I conceived the idea from SLSA Level 3 framework which helps to improve the trust the artifacts, we can make use of runtime security tool, which can be used in [CI/CD pipelines] or build process.

I believe this can be acheived by using [GitHub Actions workflows] for isolation from the build process and maintainer’s interference in the workflow and Sigstore’s signing tools for authenticity and and provide information of provenance, but also do so without having to manage their own signing keys.

How does this work?

  • Using GitHub Actions, we can create a reusable workflow that can act as a trusted build process which uses different VMs to 1) compile the project and 2) generate the SLSA provenance and create non-forgeable metadata provenance that contains the source repository reference where that code is defined.

  • To interact with the provenance information, Cosign, Fulcio, and Rekor help in a standard way.

  • To sign their builds, the combination of GitHub Actions with the tooling from Sigstore makes it easier for more projects and is an essential item for transparency in build provenance.

cc @chipzoller

afzal442 avatar May 18 '22 08:05 afzal442

@afzal442 - what you described is on the right track. Can you please clarify your question?

JimBugwadia avatar May 23 '22 01:05 JimBugwadia

Sorry @JimBugwadia ! I don't have any question yet. But I have explained above what I have understood about the framework and what we can do. Thanks.

afzal442 avatar May 23 '22 14:05 afzal442

@wryonik are you working on this issue?

chipzoller avatar Jun 01 '22 00:06 chipzoller

/assign

zurrehma avatar Aug 15 '22 17:08 zurrehma

Related Blog Post https://docs.google.com/document/d/1cYljGmkCXNLs6mF__ClDl7zGrmV3zoEF2n12cSaVZjk/edit#heading=h.7utel6eaz6nx

zurrehma avatar Aug 23 '22 17:08 zurrehma

Have you ever heard the term "Trusted Builders"? We can achieve SLSA Level 3 for free by using one of the trusted builders the SLSA team provides since Kyverno's release process has already been running on the GitHub Actions platform.

We can give a hand to this one if you want, @JimBugwadia.

cc: @laurentsimon @asraa @dentrax

References:

  • https://slsa.dev/blog/2022/06/slsa-github-workflows
  • https://security.googleblog.com/2022/04/improving-software-supply-chain.html
  • https://github.blog/2022-04-07-slsa-3-compliance-with-github-actions/

Reference works:

  • https://github.com/ossf/scorecard/pull/1702
  • https://github.com/google/ko/pull/730

developer-guy avatar Aug 24 '22 10:08 developer-guy

Thanks @developer-guy ! It looks like it is similar to @afzal442 proposal, but we already have these written out of the box

Also, to help reliability, it is easy (see google/ko link above) to add a job that gates the SLSA 3 provenance publishing with a verification.

It looks like this is the reuseable release workflow here currently does a cosign sign on the release image.

To start, we can add a generic container job that also attaches a signed attestation to the container images. Note that it only generates a provenance statement that links the artifact to the workflow run and source.

As a next step, we can aim to do what @afzal442 proposed, which is a custom, isolated builder in the form of these SLSA builders that can generate specific, trusted buildConfig information. I am taking a look at the Makefile right now for the build processes.

asraa avatar Aug 24 '22 13:08 asraa

Thanks for tagging us @developer-guy !

We have these issues we're working on and may help for later improvement (as @asraa pointed out): https://github.com/slsa-framework/slsa-github-generator/issues/56 https://github.com/slsa-framework/slsa-github-generator/issues/590

Once these are ready, you would be able to migrate without breaking users who consume these: all these builders use the same provenance format. The only changes would be the name of the builder and the buildConfig field of the attestation that will be populated.

@afzal442 if you're interested in helping out on the slsa repo, let us know.

laurentsimon avatar Aug 24 '22 17:08 laurentsimon

I'd love to help with them especially the ko related one 🙋🏻‍♂️🖖 @laurentsimon

developer-guy avatar Aug 24 '22 17:08 developer-guy

Thanks so much everyone for getting around here. Though I was into that, I am a bit away from this issue. I think @developer-guy you can go ahead with this. I will keep my eyes on your updates. 😉

afzal442 avatar Aug 24 '22 17:08 afzal442

I'd love to help with them especially the ko related one 🙋🏻‍♂️🖖 @laurentsimon

+1! Feel free to comment on the issue.

laurentsimon avatar Aug 24 '22 18:08 laurentsimon